[ANNOUNCE] Git v2.2.0

[ANNOUNCE] Git v2.2.0

[Junio C Hamano]

The latest feature release Git v2.2 is now available at the usual
places.  Big thanks go to 77 contributors, among which 20 are new
people, who made 550+ changes in total since Git v2.1 was released.

The tarballs are found at:

    https://www.kernel.org/pub/software/scm/git/

The following public repositories all have a copy of the 'v2.2.0'
tag and the 'master' branch that the tag points at:

  url = https://kernel.googlesource.com/pub/scm/git/git
  url = git://repo.or.cz/alt-git.git
  url = https://code.google.com/p/git-core/
  url = git://git.sourceforge.jp/gitroot/git-core/git.git
  url = git://git-core.git.sourceforge.net/gitroot/git-core/git-core
  url = https://github.com/gitster/git

Git v2.2 Release Notes
======================

Updates since v2.1
------------------

Ports

 * Building on older MacOS X systems automatically sets
   the necessary NO_APPLE_COMMON_CRYPTO build-time option.

 * Building with NO_PTHREADS has been resurrected.

 * Compilation options have been updated a bit to better support the
   z/OS port.


UI, Workflows & Features

 * "git archive" learned to filter what gets archived with a pathspec.

 * "git config --edit --global" starts from a skeletal per-user
   configuration file contents, instead of a total blank, when the
   user does not already have any global config.  This immediately
   reduces the need to later ask "Have you forgotten to set
   core.user?", and we can add more to the template as we gain
   more experience.

 * "git stash list -p" used to be almost always a no-op because each
   stash entry is represented as a merge commit.  It learned to show
   the difference between the base commit version and the working tree
   version, which is in line with what "git stash show" gives.

 * Sometimes users want to report a bug they experience on their
   repository, but they are not at liberty to share the contents of
   the repository.  "fast-export" was taught an "--anonymize" option
   to replace blob contents, names of people, paths and log
   messages with bland and simple strings to help them.

 * "git difftool" learned an option to stop feeding paths to the
   diff backend when it exits with a non-zero status.

 * "git grep" learned to paint (or not paint) partial matches on
   context lines when showing "grep -C<num>" output in color.

 * "log --date=iso" uses a slight variant of the ISO 8601 format that is
   more human readable.  A new "--date=iso-strict" option gives
   datetime output that conforms more strictly.

 * The logic "git prune" uses is more resilient against various corner
   cases.

 * A broken reimplementation of Git could write an invalid index that
   records both stage #0 and higher-stage entries for the same path.
   We now notice and reject such an index, as there is no sensible
   fallback (we do not know if the broken tool wanted to resolve and
   forgot to remove the higher-stage entries, or if it wanted to unresolve
   and forgot to remove the stage #0 entry).

 * The temporary files "git mergetool" uses are renamed to avoid too
   many dots in them (e.g. a temporary file for "hello.c" used to be
   named e.g. "hello.BASE.4321.c" but now uses underscore instead,
   e.g. "hello_BASE_4321.c", to allow us to have multiple variants).

 * The temporary files "git mergetool" uses can be placed in a newly
   created temporary directory, instead of the current directory, by
   setting the mergetool.writeToTemp configuration variable.

 * "git mergetool" understands "--tool bc" now, as version 4 of
   BeyondCompare can be driven the same way as its version 3 and it
   feels awkward to say "--tool bc3" to run version 4.

 * The "pre-receive" and "post-receive" hooks are no longer required
   to consume their input fully (not following this requirement used
   to result in intermittent errors in "git push").

 * The pretty-format specifier "%d", which expands to " (tagname)"
   for a tagged commit, gained a cousin "%D" that just gives the
   "tagname" without frills.

 * "git push" learned "--signed" push, that allows a push (i.e.
   request to update the refs on the other side to point at a new
   history, together with the transmission of necessary objects) to be
   signed, so that it can be verified and audited, using the GPG
   signature of the person who pushed, that the tips of branches at a
   public repository really point the commits the pusher wanted to,
   without having to "trust" the server.

 * "git interpret-trailers" is a new filter to programmatically edit
   the tail end of the commit log messages, e.g. "Signed-off-by:".

 * "git help everyday" shows the "Everyday Git in 20 commands or so"
   document, whose contents have been updated to match more modern
   Git practice.

 * On the "git svn" front, work progresses to reduce memory consumption and
   to improve handling of mergeinfo.


Performance, Internal Implementation, Development Support etc.

 * The API to manipulate the "refs" has been restructured to make it
   more transactional, with the eventual goal to allow all-or-none
   atomic updates and migrating the storage to something other than
   the traditional filesystem based one (e.g. databases).

 * The lockfile API and its users have been cleaned up.

 * We no longer attempt to keep track of individual dependencies to
   the header files in the build procedure, relying instead on automated
   dependency generation support from modern compilers.

 * In tests, we have been using NOT_{MINGW,CYGWIN} test prerequisites
   long before negated prerequisites e.g. !MINGW were invented.
   The former has been converted to the latter to avoid confusion.

 * Optimized looking up a remote's configuration in a repository with very many
   remotes defined.

 * There are cases where you lock and open to write a file, close it
   to show the updated contents to an external processes, and then have
   to update the file again while still holding the lock; now the
   lockfile API has support for such an access pattern.

 * The API to allocate the structure to keep track of commit
   decoration has been updated to make it less cumbersome to use.

 * An in-core caching layer to let us avoid reading the same
   configuration files several times has been added.  A few commands
   have been converted to use this subsystem.

 * Various code paths have been cleaned up and simplified by using
   the "strbuf", "starts_with()", and "skip_prefix()" APIs more.

 * A few codepaths that died when large blobs that would not fit in
   core are involved in their operation have been taught to punt
   instead, by e.g. marking a too-large blob as not to be diffed.

 * A few more code paths in "commit" and "checkout" have been taught
   to repopulate the cache-tree in the index, to help speed up later
   "write-tree" (used in "commit") and "diff-index --cached" (used in
   "status").

 * A common programming mistake to assign the same short option name
   to two separate options is detected by the parse_options() API to help
   developers.

 * The code path to write out the packed-refs file has been optimized,
   which especially matters in a repository with a large number of
   refs.

 * The check to see if a ref $F can be created by making sure no
   existing ref has $F/ as its prefix has been optimized, which
   especially matters in a repository with a large number of existing
   refs.

 * "git fsck" was taught to check the contents of tag objects a bit more.

 * "git hash-object" was taught a "--literally" option to help
   debugging.

 * When running a required clean filter, we do not have to mmap the
   original before feeding the filter.  Instead, stream the file
   contents directly to the filter and process its output.

 * The scripts in the test suite can be run with the "-x" option to show
   a shell-trace of each command they run.

 * The "run-command" API learned to manage the argv and environment
   arrays for child process, alleviating the need for the callers to
   allocate and deallocate them.

 * Some people use AsciiDoctor, instead of AsciiDoc, to format our
   documentation set; the documentation has been adjusted to be usable
   by both, as AsciiDoctor is pickier than AsciiDoc about its input
   mark-up.


Also contains various documentation updates and code clean-ups.


Fixes since v2.1
----------------

Unless otherwise noted, all the fixes since v2.1 in the maintenance
track are contained in this release (see the maintenance releases'
notes for details).

 * "git log --pretty/format=" with an empty format string did not
   mean the more obvious "No output whatsoever" but "Use default
   format", which was counterintuitive.

 * "git -c section.var command" and "git -c section.var= command"
   should pass the configuration value differently (the former should be a
   boolean true, the latter should be an empty string).

 * Applying a patch not generated by Git in a subdirectory used to
   check for whitespace breakage using the attributes of incorrect
   paths. Also whitespace checks were performed even for paths
   excluded via the "git apply --exclude=<path>" mechanism.

 * "git bundle create" with a date-range specification was meant to
   exclude tags outside the range, but it didn't.

 * "git add x" where x used to be a directory and is now a
   symbolic link to a directory misbehaved.

 * The prompt script checked the $GIT_DIR/ref/stash file to see if there
   is a stash, which was a no-no.

 * Pack-protocol documentation had a minor typo.

 * "git checkout -m" did not switch to another branch while carrying
   the local changes forward when a path was deleted from the index.

 * "git daemon" (with NO_IPV6 build configuration) used to incorrectly
   use the hostname even when gethostbyname() reported that the given
   hostname is not found.
   (merge 107efbe rs/daemon-fixes later to maint).

 * With sufficiently long refnames, "git fast-import" could have
   overflowed an on-stack buffer.

 * After "pack-refs --prune" packed refs at the top-level, it failed
   to prune them.

 * Progress output from "git gc --auto" was visible in "git fetch -q".

 * We used to pass -1000 to poll(2), expecting it to also mean "no
   timeout", which should be spelled as -1.

 * "git rebase" documentation was unclear that it is required to
   specify on what <upstream> the rebase is to be done when telling it
   to first check out <branch>.
   (merge 95c6826 so/rebase-doc later to maint).

 * "git push" over HTTP transport had an artificial limit on the number of
   refs that can be pushed, imposed by the command line length.
   (merge 26be19b jk/send-pack-many-refspecs later to maint).

 * When receiving an invalid pack stream that records the same object
   twice, multiple threads got confused due to a race.
   (merge ab791dd jk/index-pack-threading-races later to maint).

 * An attempt to remove the entire tree in the "git fast-import" input
   stream caused it to misbehave.
   (merge 2668d69 mb/fast-import-delete-root later to maint).

 * Reachability check (used in "git prune" and friends) did not add a
   detached HEAD as a starting point to traverse objects still in use.
   (merge c40fdd0 mk/reachable-protect-detached-head later to maint).

 * "git config --add section.var val" when section.var already has an
   empty-string value used to lose the empty-string value.
   (merge c1063be ta/config-add-to-empty-or-true-fix later to maint).

 * "git fsck" failed to report that it found corrupt objects via its
   exit status in some cases.
   (merge 30d1038 jk/fsck-exit-code-fix later to maint).

 * Use of the "--verbose" option used to break "git branch --merged".
   (merge 12994dd jk/maint-branch-verbose-merged later to maint).

 * Some MUAs mangle a line in a message that begins with "From " to
   ">From " when writing to a mailbox file, and feeding such an input
   to "git am" used to lose such a line.
   (merge 85de86a jk/mbox-from-line later to maint).

 * "rev-parse --verify --quiet $name" is meant to quietly exit with a
   non-zero status when $name is not a valid object name, but still
   gave error messages in some cases.

 * A handful of C source files have been updated to include
   "git-compat-util.h" as the first thing, to conform better to our
   coding guidelines.
   (merge 1c4b660 da/include-compat-util-first-in-c later to maint).

 * The t7004 test, which tried to run Git with small stack space, has been
   updated to use a bit larger stack to avoid false breakage on some
   platforms.
   (merge b9a1907 sk/tag-contains-wo-recursion later to maint).

 * A few documentation pages had example sections marked up not quite
   correctly, which passed AsciiDoc but failed with AsciiDoctor.
   (merge c30c43c bc/asciidoc-pretty-formats-fix later to maint).
   (merge f8a48af bc/asciidoc later to maint).

 * "gitweb" used deprecated CGI::startfrom, which was removed from
   CGI.pm as of 4.04; use CGI::start_from instead.
   (merge 4750f4b rm/gitweb-start-form later to maint).

 * Newer versions of 'meld' break the auto-detection we use to see if
   they are new enough to support the `--output` option.
   (merge b12d045 da/mergetool-meld later to maint).

 * "git pack-objects" forgot to disable the codepath to generate the
   object reachability bitmap when it needs to split the resulting
   pack.
   (merge 2113471 jk/pack-objects-no-bitmap-when-splitting later to maint).

 * The code to use cache-tree trusted the on-disk data too much and
   fell into an infinite loop upon seeing an incorrectly recorded
   index file.
   (merge 729dbbd jk/cache-tree-protect-from-broken-libgit2 later to maint).

 * "git fetch" into a repository where branch B was deleted earlier,
   back when it had reflog enabled, and then branch B/C is fetched
   into it without reflog enabled, which is arguably an unlikely
   corner case, unnecessarily failed.
   (merge aae828b jk/fetch-reflog-df-conflict later to maint).

 * "git log --first-parent -L..." used to crash.
   (merge a8787c5 tm/line-log-first-parent later to maint).

Re: [ANNOUNCE] Git v2.2.0

[Steven Noonan]

On Wed, Nov 26, 2014 at 3:09 PM, Junio C Hamano <gitster@pobox.com> wrote:
> The latest feature release Git v2.2 is now available at the usual
> places.  Big thanks go to 77 contributors, among which 20 are new
> people, who made 550+ changes in total since Git v2.1 was released.
>
> The tarballs are found at:
>
>     https://www.kernel.org/pub/software/scm/git/
>
> The following public repositories all have a copy of the 'v2.2.0'
> tag and the 'master' branch that the tag points at:
>
>   url = https://kernel.googlesource.com/pub/scm/git/git
>   url = git://repo.or.cz/alt-git.git
>   url = https://code.google.com/p/git-core/
>   url = git://git.sourceforge.jp/gitroot/git-core/git.git
>   url = git://git-core.git.sourceforge.net/gitroot/git-core/git-core
>   url = https://github.com/gitster/git
>
> Git v2.2 Release Notes
> ======================
>
> Updates since v2.1
> ------------------
>
> Ports
>
>  * Building on older MacOS X systems automatically sets
>    the necessary NO_APPLE_COMMON_CRYPTO build-time option.
>
>  * Building with NO_PTHREADS has been resurrected.
>
>  * Compilation options have been updated a bit to better support the
>    z/OS port.
>
>
> UI, Workflows & Features
>
>  * "git archive" learned to filter what gets archived with a pathspec.
>
>  * "git config --edit --global" starts from a skeletal per-user
>    configuration file contents, instead of a total blank, when the
>    user does not already have any global config.  This immediately
>    reduces the need to later ask "Have you forgotten to set
>    core.user?", and we can add more to the template as we gain
>    more experience.
>
>  * "git stash list -p" used to be almost always a no-op because each
>    stash entry is represented as a merge commit.  It learned to show
>    the difference between the base commit version and the working tree
>    version, which is in line with what "git stash show" gives.
>
>  * Sometimes users want to report a bug they experience on their
>    repository, but they are not at liberty to share the contents of
>    the repository.  "fast-export" was taught an "--anonymize" option
>    to replace blob contents, names of people, paths and log
>    messages with bland and simple strings to help them.
>
>  * "git difftool" learned an option to stop feeding paths to the
>    diff backend when it exits with a non-zero status.
>
>  * "git grep" learned to paint (or not paint) partial matches on
>    context lines when showing "grep -C<num>" output in color.
>
>  * "log --date=iso" uses a slight variant of the ISO 8601 format that is
>    more human readable.  A new "--date=iso-strict" option gives
>    datetime output that conforms more strictly.
>
>  * The logic "git prune" uses is more resilient against various corner
>    cases.
>
>  * A broken reimplementation of Git could write an invalid index that
>    records both stage #0 and higher-stage entries for the same path.
>    We now notice and reject such an index, as there is no sensible
>    fallback (we do not know if the broken tool wanted to resolve and
>    forgot to remove the higher-stage entries, or if it wanted to unresolve
>    and forgot to remove the stage #0 entry).
>
>  * The temporary files "git mergetool" uses are renamed to avoid too
>    many dots in them (e.g. a temporary file for "hello.c" used to be
>    named e.g. "hello.BASE.4321.c" but now uses underscore instead,
>    e.g. "hello_BASE_4321.c", to allow us to have multiple variants).
>
>  * The temporary files "git mergetool" uses can be placed in a newly
>    created temporary directory, instead of the current directory, by
>    setting the mergetool.writeToTemp configuration variable.
>
>  * "git mergetool" understands "--tool bc" now, as version 4 of
>    BeyondCompare can be driven the same way as its version 3 and it
>    feels awkward to say "--tool bc3" to run version 4.
>
>  * The "pre-receive" and "post-receive" hooks are no longer required
>    to consume their input fully (not following this requirement used
>    to result in intermittent errors in "git push").
>
>  * The pretty-format specifier "%d", which expands to " (tagname)"
>    for a tagged commit, gained a cousin "%D" that just gives the
>    "tagname" without frills.
>
>  * "git push" learned "--signed" push, that allows a push (i.e.
>    request to update the refs on the other side to point at a new
>    history, together with the transmission of necessary objects) to be
>    signed, so that it can be verified and audited, using the GPG
>    signature of the person who pushed, that the tips of branches at a
>    public repository really point the commits the pusher wanted to,
>    without having to "trust" the server.
>
>  * "git interpret-trailers" is a new filter to programmatically edit
>    the tail end of the commit log messages, e.g. "Signed-off-by:".
>
>  * "git help everyday" shows the "Everyday Git in 20 commands or so"
>    document, whose contents have been updated to match more modern
>    Git practice.
>
>  * On the "git svn" front, work progresses to reduce memory consumption and
>    to improve handling of mergeinfo.
>
>
> Performance, Internal Implementation, Development Support etc.
>
>  * The API to manipulate the "refs" has been restructured to make it
>    more transactional, with the eventual goal to allow all-or-none
>    atomic updates and migrating the storage to something other than
>    the traditional filesystem based one (e.g. databases).
>
>  * The lockfile API and its users have been cleaned up.
>
>  * We no longer attempt to keep track of individual dependencies to
>    the header files in the build procedure, relying instead on automated
>    dependency generation support from modern compilers.
>
>  * In tests, we have been using NOT_{MINGW,CYGWIN} test prerequisites
>    long before negated prerequisites e.g. !MINGW were invented.
>    The former has been converted to the latter to avoid confusion.
>
>  * Optimized looking up a remote's configuration in a repository with very many
>    remotes defined.
>
>  * There are cases where you lock and open to write a file, close it
>    to show the updated contents to an external processes, and then have
>    to update the file again while still holding the lock; now the
>    lockfile API has support for such an access pattern.
>
>  * The API to allocate the structure to keep track of commit
>    decoration has been updated to make it less cumbersome to use.
>
>  * An in-core caching layer to let us avoid reading the same
>    configuration files several times has been added.  A few commands
>    have been converted to use this subsystem.
>
>  * Various code paths have been cleaned up and simplified by using
>    the "strbuf", "starts_with()", and "skip_prefix()" APIs more.
>
>  * A few codepaths that died when large blobs that would not fit in
>    core are involved in their operation have been taught to punt
>    instead, by e.g. marking a too-large blob as not to be diffed.
>
>  * A few more code paths in "commit" and "checkout" have been taught
>    to repopulate the cache-tree in the index, to help speed up later
>    "write-tree" (used in "commit") and "diff-index --cached" (used in
>    "status").
>
>  * A common programming mistake to assign the same short option name
>    to two separate options is detected by the parse_options() API to help
>    developers.
>
>  * The code path to write out the packed-refs file has been optimized,
>    which especially matters in a repository with a large number of
>    refs.
>
>  * The check to see if a ref $F can be created by making sure no
>    existing ref has $F/ as its prefix has been optimized, which
>    especially matters in a repository with a large number of existing
>    refs.
>
>  * "git fsck" was taught to check the contents of tag objects a bit more.
>
>  * "git hash-object" was taught a "--literally" option to help
>    debugging.
>
>  * When running a required clean filter, we do not have to mmap the
>    original before feeding the filter.  Instead, stream the file
>    contents directly to the filter and process its output.
>
>  * The scripts in the test suite can be run with the "-x" option to show
>    a shell-trace of each command they run.
>
>  * The "run-command" API learned to manage the argv and environment
>    arrays for child process, alleviating the need for the callers to
>    allocate and deallocate them.
>
>  * Some people use AsciiDoctor, instead of AsciiDoc, to format our
>    documentation set; the documentation has been adjusted to be usable
>    by both, as AsciiDoctor is pickier than AsciiDoc about its input
>    mark-up.
>
>
> Also contains various documentation updates and code clean-ups.
>
>
> Fixes since v2.1
> ----------------
>
> Unless otherwise noted, all the fixes since v2.1 in the maintenance
> track are contained in this release (see the maintenance releases'
> notes for details).
>
>  * "git log --pretty/format=" with an empty format string did not
>    mean the more obvious "No output whatsoever" but "Use default
>    format", which was counterintuitive.
>
>  * "git -c section.var command" and "git -c section.var= command"
>    should pass the configuration value differently (the former should be a
>    boolean true, the latter should be an empty string).
>
>  * Applying a patch not generated by Git in a subdirectory used to
>    check for whitespace breakage using the attributes of incorrect
>    paths. Also whitespace checks were performed even for paths
>    excluded via the "git apply --exclude=<path>" mechanism.
>
>  * "git bundle create" with a date-range specification was meant to
>    exclude tags outside the range, but it didn't.
>
>  * "git add x" where x used to be a directory and is now a
>    symbolic link to a directory misbehaved.
>
>  * The prompt script checked the $GIT_DIR/ref/stash file to see if there
>    is a stash, which was a no-no.
>
>  * Pack-protocol documentation had a minor typo.
>
>  * "git checkout -m" did not switch to another branch while carrying
>    the local changes forward when a path was deleted from the index.
>
>  * "git daemon" (with NO_IPV6 build configuration) used to incorrectly
>    use the hostname even when gethostbyname() reported that the given
>    hostname is not found.
>    (merge 107efbe rs/daemon-fixes later to maint).
>
>  * With sufficiently long refnames, "git fast-import" could have
>    overflowed an on-stack buffer.
>
>  * After "pack-refs --prune" packed refs at the top-level, it failed
>    to prune them.
>
>  * Progress output from "git gc --auto" was visible in "git fetch -q".
>
>  * We used to pass -1000 to poll(2), expecting it to also mean "no
>    timeout", which should be spelled as -1.
>
>  * "git rebase" documentation was unclear that it is required to
>    specify on what <upstream> the rebase is to be done when telling it
>    to first check out <branch>.
>    (merge 95c6826 so/rebase-doc later to maint).
>
>  * "git push" over HTTP transport had an artificial limit on the number of
>    refs that can be pushed, imposed by the command line length.
>    (merge 26be19b jk/send-pack-many-refspecs later to maint).
>
>  * When receiving an invalid pack stream that records the same object
>    twice, multiple threads got confused due to a race.
>    (merge ab791dd jk/index-pack-threading-races later to maint).
>
>  * An attempt to remove the entire tree in the "git fast-import" input
>    stream caused it to misbehave.
>    (merge 2668d69 mb/fast-import-delete-root later to maint).
>
>  * Reachability check (used in "git prune" and friends) did not add a
>    detached HEAD as a starting point to traverse objects still in use.
>    (merge c40fdd0 mk/reachable-protect-detached-head later to maint).
>
>  * "git config --add section.var val" when section.var already has an
>    empty-string value used to lose the empty-string value.
>    (merge c1063be ta/config-add-to-empty-or-true-fix later to maint).
>
>  * "git fsck" failed to report that it found corrupt objects via its
>    exit status in some cases.
>    (merge 30d1038 jk/fsck-exit-code-fix later to maint).
>
>  * Use of the "--verbose" option used to break "git branch --merged".
>    (merge 12994dd jk/maint-branch-verbose-merged later to maint).
>
>  * Some MUAs mangle a line in a message that begins with "From " to
>    ">From " when writing to a mailbox file, and feeding such an input
>    to "git am" used to lose such a line.
>    (merge 85de86a jk/mbox-from-line later to maint).
>
>  * "rev-parse --verify --quiet $name" is meant to quietly exit with a
>    non-zero status when $name is not a valid object name, but still
>    gave error messages in some cases.
>
>  * A handful of C source files have been updated to include
>    "git-compat-util.h" as the first thing, to conform better to our
>    coding guidelines.
>    (merge 1c4b660 da/include-compat-util-first-in-c later to maint).
>
>  * The t7004 test, which tried to run Git with small stack space, has been
>    updated to use a bit larger stack to avoid false breakage on some
>    platforms.
>    (merge b9a1907 sk/tag-contains-wo-recursion later to maint).
>
>  * A few documentation pages had example sections marked up not quite
>    correctly, which passed AsciiDoc but failed with AsciiDoctor.
>    (merge c30c43c bc/asciidoc-pretty-formats-fix later to maint).
>    (merge f8a48af bc/asciidoc later to maint).
>
>  * "gitweb" used deprecated CGI::startfrom, which was removed from
>    CGI.pm as of 4.04; use CGI::start_from instead.
>    (merge 4750f4b rm/gitweb-start-form later to maint).
>
>  * Newer versions of 'meld' break the auto-detection we use to see if
>    they are new enough to support the `--output` option.
>    (merge b12d045 da/mergetool-meld later to maint).
>
>  * "git pack-objects" forgot to disable the codepath to generate the
>    object reachability bitmap when it needs to split the resulting
>    pack.
>    (merge 2113471 jk/pack-objects-no-bitmap-when-splitting later to maint).
>
>  * The code to use cache-tree trusted the on-disk data too much and
>    fell into an infinite loop upon seeing an incorrectly recorded
>    index file.
>    (merge 729dbbd jk/cache-tree-protect-from-broken-libgit2 later to maint).
>
>  * "git fetch" into a repository where branch B was deleted earlier,
>    back when it had reflog enabled, and then branch B/C is fetched
>    into it without reflog enabled, which is arguably an unlikely
>    corner case, unnecessarily failed.
>    (merge aae828b jk/fetch-reflog-df-conflict later to maint).
>
>  * "git log --first-parent -L..." used to crash.
>    (merge a8787c5 tm/line-log-first-parent later to maint).

I'm sad to report that I'm getting test failures with this release.
Built from git and did 'make -C t prove NO_SVN_TESTS=1' and got this
result:

$ make -j8
$ make -C t prove NO_SVN_TESTS=1 PROVE="prove -j8"
[...]
Test Summary Report
-------------------
t4202-log.sh                                     (Wstat: 256 Tests: 42 Failed: 2)
  Failed tests:  41-42
  Non-zero exit status: 1
t5534-push-signed.sh                             (Wstat: 256 Tests: 7 Failed: 2)
  Failed tests:  6-7
  Non-zero exit status: 1
t5801-remote-helpers.sh                          (Wstat: 256 Tests: 28 Failed: 2)
  Failed tests:  21-22
  Non-zero exit status: 1
t6050-replace.sh                                 (Wstat: 256 Tests: 33 Failed: 4)
  Failed tests:  30-33
  Non-zero exit status: 1
t6300-for-each-ref.sh                            (Wstat: 256 Tests: 134 Failed: 19)
  Failed tests:  115-133
  Non-zero exit status: 1
t7510-signed-commit.sh                           (Wstat: 256 Tests: 10 Failed: 10)
  Failed tests:  1-10
  Non-zero exit status: 1
t7612-merge-verify-signatures.sh                 (Wstat: 256 Tests: 6 Failed: 5)
  Failed tests:  2-6
  Non-zero exit status: 1
t7600-merge.sh                                   (Wstat: 256 Tests: 49 Failed: 2)
  Failed tests:  48-49
  Non-zero exit status: 1
t7004-tag.sh                                     (Wstat: 256 Tests: 136 Failed: 32)
  Failed tests:  65-66, 69-72, 74-75, 77-100
  Non-zero exit status: 1
Files=685, Tests=11975, 88 wallclock secs ( 3.97 usr  0.70 sys + 73.84 cusr 22.10 csys = 100.61 CPU)
Result: FAIL


I suspect that gnupg v2.1 is to blame somehow (I've had similar bad behavior
with my own projects using GPG in automation). Running through several of the
git tests shows that gpg is failing to sign:


$ make -C t t7510-signed-commit GIT_TEST_OPTS="--verbose --debug"
make: Entering directory '/home/snoonan/Development/git/t'
*** t7510-signed-commit.sh ***
Initialized empty Git repository in /home/snoonan/Development/git/t/trash directory.t7510-signed-commit/.git/
expecting success:
[...]
gpg: starting migration from earlier GnuPG versions
gpg: porting secret keys from '/home/snoonan/Development/git/t/trash directory.t7510-signed-commit/gpghome/secring.gpg' to gpg-agent
gpg: key CDDE430D: secret key imported
gpg: key B7227189: secret key imported
gpg: migration succeeded
gpg: signing failed: Operation cancelled
gpg: signing failed: Operation cancelled
error: gpg failed to sign the data
fatal: failed to write commit object
gpg: signing failed: Operation cancelled
gpg: signing failed: Operation cancelled
error: gpg failed to sign the data
fatal: failed to write commit object
not ok 1 - create signed commits


If I build and install the old gnupg v2.0.26 package, things are
happier:


$ make -C t prove NO_SVN_TESTS=1 PROVE="prove -j8"
[...]
All tests successful.
Files=685, Tests=11975, 87 wallclock secs ( 4.02 usr  0.69 sys + 76.41 cusr 21.96 csys = 103.08 CPU)
Result: PASS


Using Arch Linux on x86_64. Anyone else able to repro?

Re: [ANNOUNCE] Git v2.2.0

[Jeff King]

[nit: when quoting in your replies, please trim quotes to a reasonable
 length]

On Thu, Nov 27, 2014 at 01:32:24PM -0800, Steven Noonan wrote:

> I'm sad to report that I'm getting test failures with this release.
> Built from git and did 'make -C t prove NO_SVN_TESTS=1' and got this
> result:
> [...]
> I suspect that gnupg v2.1 is to blame somehow (I've had similar bad behavior
> with my own projects using GPG in automation). Running through several of the
> git tests shows that gpg is failing to sign:

I can reproduce here on Debian by installing gnupg2 v2.1 from
experimental (this gets installed as /usr/bin/gpg2, so I had to tweak
the code to use "gpg2" by default). In my case, gpg2 repeatedly contacts
the gpg-agent and pops up X dialogs asking to unlock keyrings in the
test suite. Hitting "cancel" causes the tests to fail. Clicking "OK"
with an empty passphrase lets the test pass.

The good news is that it is similarly broken on git v2.1.0. So this
isn't something we broke; it's the new version of gnupg2.

It's not clear to me whether this is a regression in gnupg, or if
there's some magic configuration setting we need to get the old
behavior. It seems like the new version is more aggressive in trying to
use the agent to get a passphrase, even though the keyrings in the test
are unencrypted, and do not need any passphrase. Which sounds like a bug
to me.

You might have some luck talking with the gnupg folks about this
possible bug. As a simple reproduction, doing:

  cd git/t/lib-gpg
  export GNUPGHOME=$PWD
  echo foo | gpg --sign -a

works fine with gnupg1, or earlier versions of gnupg2. But with gnupg
2.1, it causes the agent to pop up a passphrase dialog.

-Peff

Re: [ANNOUNCE] Git v2.2.0

[Michael J Gruber]

Steven Noonan schrieb am 27.11.2014 um 22:32:

> 
> I'm sad to report that I'm getting test failures with this release.
> Built from git and did 'make -C t prove NO_SVN_TESTS=1' and got this
> result:
> 
> $ make -j8
> $ make -C t prove NO_SVN_TESTS=1 PROVE="prove -j8"
> [...]
> Test Summary Report
> -------------------
> t4202-log.sh                                     (Wstat: 256 Tests: 42 Failed: 2)
>   Failed tests:  41-42
>   Non-zero exit status: 1
> t5534-push-signed.sh                             (Wstat: 256 Tests: 7 Failed: 2)
>   Failed tests:  6-7
>   Non-zero exit status: 1
> t5801-remote-helpers.sh                          (Wstat: 256 Tests: 28 Failed: 2)
>   Failed tests:  21-22
>   Non-zero exit status: 1
> t6050-replace.sh                                 (Wstat: 256 Tests: 33 Failed: 4)
>   Failed tests:  30-33
>   Non-zero exit status: 1
> t6300-for-each-ref.sh                            (Wstat: 256 Tests: 134 Failed: 19)
>   Failed tests:  115-133
>   Non-zero exit status: 1
> t7510-signed-commit.sh                           (Wstat: 256 Tests: 10 Failed: 10)
>   Failed tests:  1-10
>   Non-zero exit status: 1
> t7612-merge-verify-signatures.sh                 (Wstat: 256 Tests: 6 Failed: 5)
>   Failed tests:  2-6
>   Non-zero exit status: 1
> t7600-merge.sh                                   (Wstat: 256 Tests: 49 Failed: 2)
>   Failed tests:  48-49
>   Non-zero exit status: 1
> t7004-tag.sh                                     (Wstat: 256 Tests: 136 Failed: 32)
>   Failed tests:  65-66, 69-72, 74-75, 77-100
>   Non-zero exit status: 1
> Files=685, Tests=11975, 88 wallclock secs ( 3.97 usr  0.70 sys + 73.84 cusr 22.10 csys = 100.61 CPU)
> Result: FAIL
> 
> 
> I suspect that gnupg v2.1 is to blame somehow (I've had similar bad behavior
> with my own projects using GPG in automation). Running through several of the
> git tests shows that gpg is failing to sign:
> 
> 
> $ make -C t t7510-signed-commit GIT_TEST_OPTS="--verbose --debug"
> make: Entering directory '/home/snoonan/Development/git/t'
> *** t7510-signed-commit.sh ***
> Initialized empty Git repository in /home/snoonan/Development/git/t/trash directory.t7510-signed-commit/.git/
> expecting success:
> [...]
> gpg: starting migration from earlier GnuPG versions
> gpg: porting secret keys from '/home/snoonan/Development/git/t/trash directory.t7510-signed-commit/gpghome/secring.gpg' to gpg-agent
> gpg: key CDDE430D: secret key imported
> gpg: key B7227189: secret key imported
> gpg: migration succeeded
> gpg: signing failed: Operation cancelled
> gpg: signing failed: Operation cancelled
> error: gpg failed to sign the data
> fatal: failed to write commit object
> gpg: signing failed: Operation cancelled
> gpg: signing failed: Operation cancelled
> error: gpg failed to sign the data
> fatal: failed to write commit object
> not ok 1 - create signed commits
> 
> 
> If I build and install the old gnupg v2.0.26 package, things are
> happier:
> 
> 
> $ make -C t prove NO_SVN_TESTS=1 PROVE="prove -j8"
> [...]
> All tests successful.
> Files=685, Tests=11975, 87 wallclock secs ( 4.02 usr  0.69 sys + 76.41 cusr 21.96 csys = 103.08 CPU)
> Result: PASS
> 
> 
> Using Arch Linux on x86_64. Anyone else able to repro?
> 

Are you running gnome_keyring_deamon by any chance? It think it runs by
default in Gnome, claims to offer gpg_agent functionality but does not
seem to do so fully. I.e., its presence may keep gpg2.1 from starting
its own gpg-agent. But gpg2.1 ("gnupg modern branch") needs a new
gpg-agent which knows how to handle secret keys for gpg2.1.

(I may take a shot at trying, but I'm on Fedora - they're slow and
special in all things gpg/crypto. And compiling gpg2.1 means compiling
all the bits and pieces that monster consists of these days...)

Michael

tests do not work with gpg 2.1

[Jeff King]

[updated subject, as this is not specific to the v2.2.0 release at all]

On Fri, Nov 28, 2014 at 10:48:51AM +0100, Michael J Gruber wrote:

> Are you running gnome_keyring_deamon by any chance? It think it runs by
> default in Gnome, claims to offer gpg_agent functionality but does not
> seem to do so fully. I.e., its presence may keep gpg2.1 from starting
> its own gpg-agent. But gpg2.1 ("gnupg modern branch") needs a new
> gpg-agent which knows how to handle secret keys for gpg2.1.
> 
> (I may take a shot at trying, but I'm on Fedora - they're slow and
> special in all things gpg/crypto. And compiling gpg2.1 means compiling
> all the bits and pieces that monster consists of these days...)

I'm not running the gnome daemon (I do normally run gpg-agent, though),
and I can reproduce.

I wanted to try experimenting today with making sure GPG_AGENT_INFO was
unset in the environment. But despite nothing changing (i.e., before I
even cleared that variable), I'm getting totally different results.

Now when I run t4202, I get no agent prompt, and just:

    ok 40 - dotdot is a parent directory
    
    expecting success: 
            test_when_finished "git reset --hard && git checkout master" &&
            git checkout -b signed master &&
            echo foo >foo &&
            git add foo &&
            git commit -S -m signed_commit &&
            git log --graph --show-signature -n1 signed >actual &&
            grep "^| gpg: Signature made" actual &&
            grep "^| gpg: Good signature" actual
    
    Switched to a new branch 'signed'
    gpg: skipped "C O Mitter <committer@example.com>": No secret key
    gpg: signing failed: No secret key
    error: gpg failed to sign the data
    fatal: failed to write commit object

And then a subsequent run gives me:

    rm: cannot remove '/home/peff/compile/git/t/trash directory.t4202-log/gpghome/private-keys-v1.d/19D48118D24877F59C2AE86FEC8C3E90694B2631.key': Permission denied
    rm: cannot remove '/home/peff/compile/git/t/trash directory.t4202-log/gpghome/private-keys-v1.d/E0C803F8BC3BCC4990E174E05936A7636E888899.key': Permission denied
    rm: cannot remove '/home/peff/compile/git/t/trash directory.t4202-log/gpghome/private-keys-v1.d/FCFAC48BF12AC0FCC32B69AB90AA7B1891382C29.key': Permission denied
    rm: cannot remove '/home/peff/compile/git/t/trash directory.t4202-log/gpghome/private-keys-v1.d/D50A866904B91C0C49A3F6059584F4A09807D330.key': Permission denied
    FATAL: Cannot prepare test area

It seems that it creates the private-keys directory without the 'x' bit:

    $ ls -ld trash*/gpghome/private-keys-v1.d
    drw------- 2 peff peff 4096 Nov 28 11:45 trash directory.t4202-log/gpghome/private-keys-v1.d/

So that's weird, and doubly so that it is behaving differently than it
was last night. Obviously _something_ must have change. Maybe something
related to the state of my running agent, I guess.

-Peff

Re: tests do not work with gpg 2.1

[Michael J Gruber]

Jeff King schrieb am 28.11.2014 um 17:50:
> [updated subject, as this is not specific to the v2.2.0 release at all]
> 
> On Fri, Nov 28, 2014 at 10:48:51AM +0100, Michael J Gruber wrote:
> 
>> Are you running gnome_keyring_deamon by any chance? It think it runs by
>> default in Gnome, claims to offer gpg_agent functionality but does not
>> seem to do so fully. I.e., its presence may keep gpg2.1 from starting
>> its own gpg-agent. But gpg2.1 ("gnupg modern branch") needs a new
>> gpg-agent which knows how to handle secret keys for gpg2.1.
>>
>> (I may take a shot at trying, but I'm on Fedora - they're slow and
>> special in all things gpg/crypto. And compiling gpg2.1 means compiling
>> all the bits and pieces that monster consists of these days...)
> 
> I'm not running the gnome daemon (I do normally run gpg-agent, though),
> and I can reproduce.

You get the passphrase prompt, Steven didn't, if I understood correctly.
You can continue successfully by hitting OK, Steven coudn't hit anything...

> I wanted to try experimenting today with making sure GPG_AGENT_INFO was
> unset in the environment. But despite nothing changing (i.e., before I
> even cleared that variable), I'm getting totally different results.
> 
> Now when I run t4202, I get no agent prompt, and just:
> 
>     ok 40 - dotdot is a parent directory
>     
>     expecting success: 
>             test_when_finished "git reset --hard && git checkout master" &&
>             git checkout -b signed master &&
>             echo foo >foo &&
>             git add foo &&
>             git commit -S -m signed_commit &&
>             git log --graph --show-signature -n1 signed >actual &&
>             grep "^| gpg: Signature made" actual &&
>             grep "^| gpg: Good signature" actual
>     
>     Switched to a new branch 'signed'
>     gpg: skipped "C O Mitter <committer@example.com>": No secret key
>     gpg: signing failed: No secret key
>     error: gpg failed to sign the data
>     fatal: failed to write commit object

That is how things turned for Steven, afaik.

> And then a subsequent run gives me:
> 
>     rm: cannot remove '/home/peff/compile/git/t/trash directory.t4202-log/gpghome/private-keys-v1.d/19D48118D24877F59C2AE86FEC8C3E90694B2631.key': Permission denied
>     rm: cannot remove '/home/peff/compile/git/t/trash directory.t4202-log/gpghome/private-keys-v1.d/E0C803F8BC3BCC4990E174E05936A7636E888899.key': Permission denied
>     rm: cannot remove '/home/peff/compile/git/t/trash directory.t4202-log/gpghome/private-keys-v1.d/FCFAC48BF12AC0FCC32B69AB90AA7B1891382C29.key': Permission denied
>     rm: cannot remove '/home/peff/compile/git/t/trash directory.t4202-log/gpghome/private-keys-v1.d/D50A866904B91C0C49A3F6059584F4A09807D330.key': Permission denied
>     FATAL: Cannot prepare test area
> 
> It seems that it creates the private-keys directory without the 'x' bit:
> 
>     $ ls -ld trash*/gpghome/private-keys-v1.d
>     drw------- 2 peff peff 4096 Nov 28 11:45 trash directory.t4202-log/gpghome/private-keys-v1.d/
> 
> So that's weird, and doubly so that it is behaving differently than it
> was last night. Obviously _something_ must have change. Maybe something
> related to the state of my running agent, I guess.
> 
> -Peff
> 

I think if you unset GPG_AGENT_INFO, gpg2.1 thinks there is no agent,
starts it's own and talks to it via a socket directly (no env variable).
Now that one seems come with different options (regarding pinentry) so
that it can't even ask you for a passphrase.

That private-keys directory is from the first run of gpg2.1 on a pre-2.1
GPGHOME. It converts the old secring db to that new dir of entries and
uses that instead.

Regarding the umask: That may actually be fallout from

e7f224f (t/lib-gpg: make gpghome files writable, 2014-10-24)

where I didn't expect directories to be present in gpghome. Maybe i
should change

chmod 0700 gpghome
chmod 0600 gpghome/*

to

chmod -R o+w gpghome/

though I felt somehow safer with the explicit permissions.

Michael

[PATCH] t/lib-gpg: adjust permissions for gnupg 2.1

[Michael J Gruber]

Before gnupg 2.1 (aka "modern branch"), gpghome would contain only files
which allowed t/lib-gpg.sh to set permissions explicitely, and we did
that since
28a1b07 (t/lib-gpg: adjust permissions for gnupg 2.1, 2014-12-02)
in order to adjust wrong permissions from a checkout on ro file systems.

gnupg 2.1 creates a new directory in gpghome which would get its x bit removed.

Adjust and use +X so that any directory would get its x bit set. This
also keeps the x bit on files which had it set for whatever wrong
reason, but we care only about having at least the necessary
permissions for the tests to run.

Signed-off-by: Michael J Gruber <git@drmicha.warpmail.net>
---
Something like this?
Untested for lack of gpg2.1

 t/lib-gpg.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index cd2baef..25ca12d 100755
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -17,8 +17,7 @@ else
 		# Name and email: C O Mitter <committer@example.com>
 		# No password given, to enable non-interactive operation.
 		cp -R "$TEST_DIRECTORY"/lib-gpg ./gpghome
-		chmod 0700 gpghome
-		chmod 0600 gpghome/*
+		chmod -R u+rwX gpghome
 		GNUPGHOME="$(pwd)/gpghome"
 		export GNUPGHOME
 		test_set_prereq GPG
-- 
2.2.0.rc3.286.g888a711

Re: [PATCH] t/lib-gpg: adjust permissions for gnupg 2.1

[Jeff King]

On Tue, Dec 02, 2014 at 02:40:27PM +0100, Michael J Gruber wrote:

> Before gnupg 2.1 (aka "modern branch"), gpghome would contain only files
> which allowed t/lib-gpg.sh to set permissions explicitely, and we did
> that since
> 28a1b07 (t/lib-gpg: adjust permissions for gnupg 2.1, 2014-12-02)
> in order to adjust wrong permissions from a checkout on ro file systems.

I think this 28a1b07 is wrong. Did you mean e7f224f?

> gnupg 2.1 creates a new directory in gpghome which would get its x bit removed.

Thanks for digging in this. The story is a little more tricky, though,
and I do not think this patch is strictly necessary.

We copy lib-gpg/* to the trash directory, and only run gpg on it there.
So it is there that gpg2.1 will munge the files, _after_ we have
copied and done our chmod. And that works fine with the current code.

The problem came when I was trying to test/debug, and outside of the
tests did "cd lib-gpg && gpg2 ...". That munged my lib-gpg directory,
and the resulting breakage was copied into each subsequent trash
directory.

So while your patch is not necessary, it is a nice defense against this
sort of manual munging, or against future patches which add more
directories. But...

> Adjust and use +X so that any directory would get its x bit set. This
> also keeps the x bit on files which had it set for whatever wrong
> reason, but we care only about having at least the necessary
> permissions for the tests to run.

Taking a step back, though, I am not sure I understand the reasoning
behind the original e7f224f. The rationale in the commit message is that
we want to make sure that the files are writable. But why would they not
be? They are created by "cp -R", so unless your umask does not allow the
owner to write to the files, they should be writable, no? And if your
umask is set that way, lots of things are going to break.

And indeed, if I remove the chmods completely, like:

diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
index cd2baef..6ee4bb6 100755
--- a/t/lib-gpg.sh
+++ b/t/lib-gpg.sh
@@ -17,8 +17,6 @@ else
 		# Name and email: C O Mitter <committer@example.com>
 		# No password given, to enable non-interactive operation.
 		cp -R "$TEST_DIRECTORY"/lib-gpg ./gpghome
-		chmod 0700 gpghome
-		chmod 0600 gpghome/*
 		GNUPGHOME="$(pwd)/gpghome"
 		export GNUPGHOME
 		test_set_prereq GPG

the tests run fine for me. What am I missing?

I do think the original "0700" chmod _is_ useful, though. But not
because it makes sure things are writable, but because it makes sure
that it is _not_ world-readable. GPG complains about the lax permissions
(of course it does not know that the keyrings are not really secrets in
this case). However, this does not actually prevent the tests from
running successfully.

So from my perspective, the simplest thing is to keep the original
"chmod 0700" for that reason (or make it "chmod go-rwx", if you like),
and drop the inner chmod completely (effectively reverting e7f224f). But
again, perhaps there is some case that it covers that I do not
understand.

-Peff

Re: [PATCH] t/lib-gpg: adjust permissions for gnupg 2.1

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> Taking a step back, though, I am not sure I understand the reasoning
> behind the original e7f224f. The rationale in the commit message is that
> we want to make sure that the files are writable. But why would they not
> be? They are created by "cp -R",...

Wait.  After doing this,

    $ mkdir -p src/a && >src/b 2>src/a/c && chmod a-w src/b src/a/c
    $ cp -R src dst
    $ ls -lR dst

dst/b and dst/a/c are 0440 (with umask 0027, which makes src/b and
src/a/c also 0440, which is copied with "cp -R").

I was primarily worried about t/lib-gpg/* being read-only from a
src-tarball extract when we had a discussion that led to e7f224f7
(t/lib-gpg: make gpghome files writable, 2014-10-24).

Re: [PATCH] t/lib-gpg: adjust permissions for gnupg 2.1

[Jeff King]

On Tue, Dec 02, 2014 at 03:57:50PM -0800, Junio C Hamano wrote:

> Wait.  After doing this,
> 
>     $ mkdir -p src/a && >src/b 2>src/a/c && chmod a-w src/b src/a/c
>     $ cp -R src dst
>     $ ls -lR dst
> 
> dst/b and dst/a/c are 0440 (with umask 0027, which makes src/b and
> src/a/c also 0440, which is copied with "cp -R").

Who is running that chmod and why? I know you are trying to simulate
"somehow they lost their 'w' bit" here, but what is that "somehow"?

Git does not track write-bits. So any git checkout should always have
the bit set, no? And likewise would any tarball generated by
git-archive. Does tar lose it on extraction? I would not think it would
do so, short of a broken umask.

Confused...

-Peff

Re: [PATCH] t/lib-gpg: adjust permissions for gnupg 2.1

[Junio C Hamano]

Jeff King <peff@peff.net> writes:

> On Tue, Dec 02, 2014 at 03:57:50PM -0800, Junio C Hamano wrote:
>
>> Wait.  After doing this,
>> 
>>     $ mkdir -p src/a && >src/b 2>src/a/c && chmod a-w src/b src/a/c
>>     $ cp -R src dst
>>     $ ls -lR dst
>> 
>> dst/b and dst/a/c are 0440 (with umask 0027, which makes src/b and
>> src/a/c also 0440, which is copied with "cp -R").
>
> Who is running that chmod and why? I know you are trying to simulate
> "somehow they lost their 'w' bit" here, but what is that "somehow"?

The very first thing I do after downloading and extracting a tarball
for any random project, before doing configure or make, is to a-w on
its files (but not directories, as I typically build in-place in the
source tree even for projects that support VPATH build).

Some ill-mannered projects' build break with this by trying to munge
their own source files.  They are, well, badly written, and I would
want to know about them, and that is one of the reasons behind a-w.

I do not know how widespread the practice is, but that was what I
did for this project, too, when I tried out Linus's first version
;-) These days, I do "git init && git add ." instead, so it does not
matter to me personally, but "cp -R" we do will matter to people who
still care without fixing the mode bits of the copied ones that we
intend to modify inside our tests and build procedure.

Re: [PATCH] t/lib-gpg: adjust permissions for gnupg 2.1

[Michael J Gruber]

Jeff King schrieb am 02.12.2014 um 22:07:
> On Tue, Dec 02, 2014 at 02:40:27PM +0100, Michael J Gruber wrote:
> 
>> Before gnupg 2.1 (aka "modern branch"), gpghome would contain only files
>> which allowed t/lib-gpg.sh to set permissions explicitely, and we did
>> that since
>> 28a1b07 (t/lib-gpg: adjust permissions for gnupg 2.1, 2014-12-02)
>> in order to adjust wrong permissions from a checkout on ro file systems.
> 
> I think this 28a1b07 is wrong. Did you mean e7f224f?

Ouch, I'm afraid I got that from my copy of the commit. After all, there
is some truth in the patch/apply vs. push/pull-merge workflow discussion...

>> gnupg 2.1 creates a new directory in gpghome which would get its x bit removed.
> 
> Thanks for digging in this. The story is a little more tricky, though,
> and I do not think this patch is strictly necessary.
> 
> We copy lib-gpg/* to the trash directory, and only run gpg on it there.
> So it is there that gpg2.1 will munge the files, _after_ we have
> copied and done our chmod. And that works fine with the current code.

Right. I should'nt draft patches when I don't have gpg2.1...

> The problem came when I was trying to test/debug, and outside of the
> tests did "cd lib-gpg && gpg2 ...". That munged my lib-gpg directory,
> and the resulting breakage was copied into each subsequent trash
> directory.
> 
> So while your patch is not necessary, it is a nice defense against this
> sort of manual munging, or against future patches which add more
> directories. But...
> 
>> Adjust and use +X so that any directory would get its x bit set. This
>> also keeps the x bit on files which had it set for whatever wrong
>> reason, but we care only about having at least the necessary
>> permissions for the tests to run.
> 
> Taking a step back, though, I am not sure I understand the reasoning
> behind the original e7f224f. The rationale in the commit message is that
> we want to make sure that the files are writable. But why would they not
> be? They are created by "cp -R", so unless your umask does not allow the
> owner to write to the files, they should be writable, no? And if your
> umask is set that way, lots of things are going to break.

IIRC: We had reports about some ro checkouts where the tests went wrong.
I.e., the git.git checkout was on a ro file system, and the cp somehow
created ro files in the tmp. Or was it the archive/pax issue?

In any case, we need writable gpghome (and contents), and the original
patch ensured that.

> And indeed, if I remove the chmods completely, like:
> 
> diff --git a/t/lib-gpg.sh b/t/lib-gpg.sh
> index cd2baef..6ee4bb6 100755
> --- a/t/lib-gpg.sh
> +++ b/t/lib-gpg.sh
> @@ -17,8 +17,6 @@ else
>  		# Name and email: C O Mitter <committer@example.com>
>  		# No password given, to enable non-interactive operation.
>  		cp -R "$TEST_DIRECTORY"/lib-gpg ./gpghome
> -		chmod 0700 gpghome
> -		chmod 0600 gpghome/*
>  		GNUPGHOME="$(pwd)/gpghome"
>  		export GNUPGHOME
>  		test_set_prereq GPG
> 
> the tests run fine for me. What am I missing?

You messed with the wrong parts in gpghome :)

> I do think the original "0700" chmod _is_ useful, though. But not
> because it makes sure things are writable, but because it makes sure
> that it is _not_ world-readable. GPG complains about the lax permissions
> (of course it does not know that the keyrings are not really secrets in
> this case). However, this does not actually prevent the tests from
> running successfully.
> 
> So from my perspective, the simplest thing is to keep the original
> "chmod 0700" for that reason (or make it "chmod go-rwx", if you like),
> and drop the inner chmod completely (effectively reverting e7f224f). But
> again, perhaps there is some case that it covers that I do not
> understand.
> 
> -Peff
> 

I would say the "modern branch" of gpg2.1 is still a bit unstable. If
the tests do run with it (as they seem to do, unless you mess with the
source of the cp) there are no permission fixes to do.

Orthogonal to that is the pinentry issue: I haven't checked whether
gpg2.1 asking for passphrases on passphrase-less secure keys is to be
fixed on the gpg side. If yes, I would just wait for that since gpg2.1
is not common yet.

If not, we should provide (in gpg config) an alternative pinentry that
just returns an empty passphrase without bugging the user.

Michael

Re: [PATCH] t/lib-gpg: adjust permissions for gnupg 2.1

[Junio C Hamano]

Michael J Gruber <git@drmicha.warpmail.net> writes:

> Orthogonal to that is the pinentry issue: I haven't checked whether
> gpg2.1 asking for passphrases on passphrase-less secure keys is to be
> fixed on the gpg side. If yes, I would just wait for that since gpg2.1
> is not common yet.
>
> If not, we should provide (in gpg config) an alternative pinentry that
> just returns an empty passphrase without bugging the user.

Sounds like a sensible plan to me.  Thanks.

Re: tests do not work with gpg 2.1

[Jeff King]

On Tue, Dec 02, 2014 at 01:55:31PM +0100, Michael J Gruber wrote:

> That private-keys directory is from the first run of gpg2.1 on a pre-2.1
> GPGHOME. It converts the old secring db to that new dir of entries and
> uses that instead.

Thanks for untangling this. As I mentioned elsewhere in the thread, it
was just that I had munged my parent lib-gpg directory. Cleaning that up
fixed the problem I was seeing, and I could proceed with experimenting.

> I think if you unset GPG_AGENT_INFO, gpg2.1 thinks there is no agent,
> starts it's own and talks to it via a socket directly (no env variable).
> Now that one seems come with different options (regarding pinentry) so
> that it can't even ask you for a passphrase.

If I unset GPG_AGENT_INFO, I still get the original behavior; a pop-up
dialog that asks for the passphrase (and feeding it the empty passphrase
works). My differing behavior from Steven may just be quirks in our
setup, or maybe it is the fact that I still have gpg1 installed.

I think the fundamental problem, though, is just that gpg2.1 cannot
seamlessly handle the case of a keyring with no passphrase. I am sure
this is not a well-tested case, since GPG devs likely would say "you're
doing it wrong". But obviously it makes sense here for testing purposes.

I'm not sure if the most expedient path is trying to convince gpg
developers that it's a bug, or if there is some workaround (like
"--passphrase-file /dev/null" or something).

I've been using the patch below to test, and am tempted to offer it for
inclusion. But if we need to hack up the gpg command-line just for the
tests, then lib-gpg.sh would end up setting gpg.program, and that would
override what my patch is doing anyway.

-- >8 --
Subject: Makefile: provide build-time config of "gpg" program

If the user hasn't configured gpg.program, we fallback to
running just "gpg". Since it _can_ be overridden by
run-time config, this is sufficient for most people who have
some specific "gpg" they want to run. However, there are two
reasons we might want a build-time configuration, too:

  1. A binary package may want to hard-code a matching gpg
     without requiring that the user set up their PATH or
     config explicitly.

  2. When running the test scripts, it's hard to debug tests
     using an alternate GPG, as it would involve tweaking
     each individual test script to set the gpg path.

Let's provide a Makefile knob for tweaking this.

Signed-off-by: Jeff King <peff@peff.net>
---
 Makefile        | 6 ++++++
 gpg-interface.c | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index 827006b..e3c1ec1 100644
--- a/Makefile
+++ b/Makefile
@@ -400,6 +400,7 @@ INSTALL = install
 RPMBUILD = rpmbuild
 TCL_PATH = tclsh
 TCLTK_PATH = wish
+GPG_PATH = gpg
 XGETTEXT = xgettext
 MSGFMT = msgfmt
 PTHREAD_LIBS = -lpthread
@@ -1503,6 +1504,10 @@ SHELL_PATH_CQ_SQ = $(subst ','\'',$(SHELL_PATH_CQ))
 BASIC_CFLAGS += -DSHELL_PATH='$(SHELL_PATH_CQ_SQ)'
 endif
 
+GPG_PATH_CQ = "$(subst ",\",$(subst \,\\,$(GPG_PATH)))"
+GPG_PATH_CQ_SQ = $(subst ','\'',$(GPG_PATH_CQ))
+BASIC_CFLAGS += -DGPG_PATH='$(GPG_PATH_CQ_SQ)'
+
 GIT_USER_AGENT_SQ = $(subst ','\'',$(GIT_USER_AGENT))
 GIT_USER_AGENT_CQ = "$(subst ",\",$(subst \,\\,$(GIT_USER_AGENT)))"
 GIT_USER_AGENT_CQ_SQ = $(subst ','\'',$(GIT_USER_AGENT_CQ))
@@ -2038,6 +2043,7 @@ GIT-BUILD-OPTIONS: FORCE
 	@echo SHELL_PATH=\''$(subst ','\'',$(SHELL_PATH_SQ))'\' >$@
 	@echo PERL_PATH=\''$(subst ','\'',$(PERL_PATH_SQ))'\' >>$@
 	@echo DIFF=\''$(subst ','\'',$(subst ','\'',$(DIFF)))'\' >>$@
+	@echo GPG_PATH=\''$(subst ','\'',$(subst ','\'',$(GPG_PATH)))'\' >>$@
 	@echo PYTHON_PATH=\''$(subst ','\'',$(PYTHON_PATH_SQ))'\' >>$@
 	@echo TAR=\''$(subst ','\'',$(subst ','\'',$(TAR)))'\' >>$@
 	@echo NO_CURL=\''$(subst ','\'',$(subst ','\'',$(NO_CURL)))'\' >>$@
diff --git a/gpg-interface.c b/gpg-interface.c
index 68b0c81..67c6e35 100644
--- a/gpg-interface.c
+++ b/gpg-interface.c
@@ -5,7 +5,7 @@
 #include "sigchain.h"
 
 static char *configured_signing_key;
-static const char *gpg_program = "gpg";
+static const char *gpg_program = GPG_PATH;
 
 #define PGP_SIGNATURE "-----BEGIN PGP SIGNATURE-----"
 #define PGP_MESSAGE "-----BEGIN PGP MESSAGE-----"
-- 
2.2.0.390.gf60752d

Re: tests do not work with gpg 2.1

[Jeff King]

On Tue, Dec 02, 2014 at 04:21:33PM -0500, Jeff King wrote:

> I'm not sure if the most expedient path is trying to convince gpg
> developers that it's a bug, or if there is some workaround (like
> "--passphrase-file /dev/null" or something).
> 
> I've been using the patch below to test, and am tempted to offer it for
> inclusion. But if we need to hack up the gpg command-line just for the
> tests, then lib-gpg.sh would end up setting gpg.program, and that would
> override what my patch is doing anyway.

So...I tried that. So many things went wrong. :)

For one thing, the build-time GPG_PATH patch I posted is not quite
enough. We would probably want to pass it down to the test scripts, too,
as they run "gpg --version" to figure out whether we have gpg or not.

Secondly, you cannot set gpg.program to "gpg2 --passphrase-file
/dev/null", because we do not use the shell to exec gpg.program. This is
unlike most of the rest of git-spawned programs, but of course changing
it has compatibility problems. We'd probably want gpg.command or
something as an alternative.

And finally, after convincing git to really use "--passphrase-file", I
find that it does not fix the problem at all. GPG still insists on
opening an agent window. Nor does "--batch" help.

So I dunno. Maybe there is some clever way to work around it, but I do
not know it.

-Peff