diff --git a/backports/git/APKBUILD b/backports/git/APKBUILD new file mode 100644 index 0000000..81c7893 --- /dev/null +++ b/backports/git/APKBUILD @@ -0,0 +1,373 @@ +# Contributor: Ɓukasz Jendrysik +# Maintainer: Natanael Copa +# +# secfixes: +# 2.40.1-r0: +# - CVE-2023-25652 +# - CVE-2023-25815 +# - CVE-2023-29007 +# 2.39.2-r0: +# - CVE-2023-22490 +# - CVE-2023-23946 +# 2.39.1-r0: +# - CVE-2022-41903 +# - CVE-2022-23521 +# 2.38.1-r0: +# - CVE-2022-39253 +# - CVE-2022-39260 +# 2.37.1-r0: +# - CVE-2022-29187 +# 2.35.2-r0: +# - CVE-2022-24765 +# 2.30.2-r0: +# - CVE-2021-21300 +# 2.26.2-r0: +# - CVE-2020-11008 +# 2.26.1-r0: +# - CVE-2020-5260 +# 2.24.1-r0: +# - CVE-2019-1348 +# - CVE-2019-1349 +# - CVE-2019-1350 +# - CVE-2019-1351 +# - CVE-2019-1352 +# - CVE-2019-1353 +# - CVE-2019-1354 +# - CVE-2019-1387 +# - CVE-2019-19604 +# 2.19.1-r0: +# - CVE-2018-17456 +# 2.17.1-r0: +# - CVE-2018-11233 +# - CVE-2018-11235 +# 2.14.1-r0: +# - CVE-2017-1000117 +# 0: +# - CVE-2021-29468 +# - CVE-2021-46101 + +pkgname=git +pkgver=2.41.0 +pkgrel=2 +pkgdesc="Distributed version control system" +url="https://www.git-scm.com/" +arch="!armv7 all" +license="GPL-2.0-only" +makedepends=" + curl-dev + expat-dev + file + openssl-dev>3 + pcre2-dev + perl-dev + perl-error + xmlto + zlib-dev + " +# note that order matters +subpackages=" + $pkgname-dbg + $pkgname-bash-completion + $pkgname-prompt::noarch + perl-$pkgname-svn:_perl_git_svn:noarch + perl-$pkgname:_perl_git:noarch + $pkgname-svn::noarch + $pkgname-email + $pkgname-fast-import:_fast_import:noarch + $pkgname-cvs::noarch + $pkgname-daemon + $pkgname-daemon-openrc:daemon_openrc + $pkgname-scalar + $pkgname-gitweb::noarch + $pkgname-subtree::noarch + $pkgname-diff-highlight:diff_highlight:noarch + $pkgname-perl:_git_perl:noarch + " +source="https://www.kernel.org/pub/software/scm/git/git-$pkgver.tar.xz + git-daemon.initd + git-daemon.confd + fix-t4219-with-sticky-bit.patch + " +options="$options !check" # a few need updated for perl 5.38 + +_gitcoredir=/usr/libexec/git-core + +if [ -z "$BOOTSTRAP" ]; then + # we need tcl and tk to be built before git due to git-gui and gitk + makedepends="$makedepends asciidoc python3-dev tcl tk libsecret-dev glib-dev" + subpackages="$subpackages + $pkgname-doc + $pkgname-p4::noarch + $pkgname-gui::noarch + $pkgname-gitk::noarch + $pkgname-subtree-doc:subtree_doc:noarch + $pkgname-credential-libsecret:credential_libsecret + " +fi + +case "$CARCH" in +s390x) + # todo: they fail with strange between-test email mismatches + options="$options !check" + ;; +esac + +prepare() { + default_prepare + + cat >> config.mak <<-EOF + NO_GETTEXT=YesPlease + NO_SVN_TESTS=YesPlease + NO_REGEX=YesPlease + NO_SYS_POLL_H=1 + ICONV_OMITS_BOM=Yes + INSTALL_SYMLINKS=1 + CC=${CC:-cc} + CXX=${CC:-c++} + CFLAGS=$CFLAGS -flto=auto + LDFLAGS=$LDFLAGS -flto=auto + USE_LIBPCRE2=YesPlease + PYTHON_PATH=/usr/bin/python3 + EOF + + if [ -n "$BOOTSTRAP" ]; then + cat >> config.mak <<-EOF + NO_PYTHON=YesPlease + NO_TCLTK=YesPlease + EOF + fi +} + +build() { + make prefix=/usr \ + DESTDIR="$pkgdir" \ + perllibdir="$(_perl_config vendorlib)" \ + all + + make -C contrib/subtree prefix=/usr DESTDIR="$pkgdir" + make -C contrib/diff-highlight prefix=/usr DESTDIR="$pkgdir" + + if [ -z "$BOOTSTRAP" ]; then + # generate manpages outside of package() + make prefix=/usr man + + make prefix=/usr -C contrib/credential/libsecret + fi +} + +check() { + make -C t prefix=/usr DESTDIR="$pkgdir" \ + perlibdir="$(_perl_config vendorlib)" \ + all +} + +package() { + if [ -z "$BOOTSTRAP" ]; then + local install_man=install-man + fi + + make prefix=/usr \ + DESTDIR="$pkgdir" \ + INSTALLDIRS=vendor \ + perllibdir="$(_perl_config vendorlib)" \ + install \ + $install_man + + make -C contrib/subtree install prefix=/usr DESTDIR="$pkgdir" + + mkdir -p "$pkgdir"/var/git + + install -Dm755 "$srcdir"/git-daemon.initd "$pkgdir"/etc/init.d/git-daemon + install -Dm644 "$srcdir"/git-daemon.confd "$pkgdir"/etc/conf.d/git-daemon + + install -Dm755 contrib/diff-highlight/diff-highlight -t "$pkgdir"/usr/bin/ + + install -Dm644 contrib/completion/git-completion.bash \ + "$pkgdir"/usr/share/bash-completion/completions/git + + install -Dm644 contrib/completion/git-prompt.sh \ + "$pkgdir"/usr/share/git-core/git-prompt.sh + + if [ -z "$BOOTSTRAP" ]; then + install -Dm755 contrib/credential/libsecret/git-credential-libsecret "$pkgdir"/usr/libexec/git-core + fi +} + +prompt() { + pkgdesc="bash and zsh prompt integration for Git" + depends="git=$pkgver-r$pkgrel" + + amove usr/share/git-core/git-prompt.sh +} + +_perl_git_svn() { + pkgdesc="Perl interface to Git::SVN" + depends="git=$pkgver-r$pkgrel perl-git=$pkgver-r$pkgrel" + + local vendorlib=$(_perl_config vendorlib) + + amove $vendorlib/Git/SVN* +} + +_perl_git() { + pkgdesc="Perl interface to Git" + depends="git=$pkgver-r$pkgrel perl-error" + + local i + for i in "$(_perl_config vendorlib)" "$(_perl_config vendorarch)"; do + [ -d "$pkgdir/$i" ] || continue + amove $i + done +} + +email() { + pkgdesc="Git tools for sending email" + depends="perl perl-git=$pkgver-r$pkgrel perl-net-smtp-ssl perl-authen-sasl" + + amove $_gitcoredir/*email* + amove $_gitcoredir/*imap* +} + +svn() { + pkgdesc="Subversion support for git" + depends=" + perl + perl-git-svn=$pkgver-r$pkgrel + perl-subversion + perl-term-readkey + " + + amove $_gitcoredir/git-svn +} + +cvs() { + pkgdesc="Git tools for importing CVS repositories" + depends="perl perl-git=$pkgver-r$pkgrel cvs perl-dbd-sqlite" + + amove usr/bin/git-cvs* + amove $_gitcoredir/*cvs* +} + +_fast_import() { + pkgdesc="Git backend for fast Git data importers" + depends="git=$pkgver-r$pkgrel" + + amove $_gitcoredir/git-fast-import +} + +p4() { + pkgdesc="Git tools for working with Perforce depots" + depends="git=$pkgver-r$pkgrel git-fast-import=$pkgver-r$pkgrel" + + amove $_gitcoredir/*p4* + amove $_gitcoredir/mergetools/*p4* +} + +daemon() { + pkgdesc="Git protocol daemon" + depends="git=$pkgver-r$pkgrel" + + amove $_gitcoredir/git-daemon + amove $_gitcoredir/git-http-backend + amove $_gitcoredir/git-shell +} + +daemon_openrc() { + pkgdesc="Git protocol daemon" + + default_openrc + + depends="git-daemon=$pkgver-r$pkgrel $depends_openrc" + install_if="openrc $pkgname-daemon=$pkgver-r$pkgrel" +} + +gitweb() { + pkgdesc="Simple web interface to git repositories" + depends="git=$pkgver-r$pkgrel perl" + + amove $_gitcoredir/git-instaweb + amove usr/share/gitweb +} + +subtree() { + depends="git=$pkgver-r$pkgrel" + pkgdesc="Split git repository into subtrees" + + amove $_gitcoredir/git-subtree +} + +subtree_doc() { + pkgdesc="Split git repository into subtrees (documentation)" + depends="" + install_if="docs git-subtree=$pkgver-r$pkgrel" + + cd "$builddir"/contrib/subtree + make install-man prefix=/usr DESTDIR="$subpkgdir" + gzip -9 "$subpkgdir"/usr/share/man/man1/git-subtree.1 +} + +gui() { + pkgdesc="GUI interface for git" + depends="git=$pkgver-r$pkgrel tcl tk" + + amove usr/share/git-gui + amove $_gitcoredir/git-citool + amove $_gitcoredir/git-gui + amove $_gitcoredir/git-gui--askpass +} + +gitk() { + pkgdesc="Gitk interface for git" + depends="git=$pkgver-r$pkgrel tcl tk" + + amove usr/share/gitk + amove usr/bin/gitk +} + +diff_highlight() { + pkgdesc="diff highlight for git" + depends="git=$pkgver-r$pkgrel perl" + + amove usr/bin/diff-highlight +} + +credential_libsecret() { + pkgdesc="libsecret-based credential helper" + depends="git=$pkgver-r$pkgrel" + + amove usr/libexec/git-core/git-credential-libsecret +} + +scalar() { + pkgdesc="Git scalar monorepo tool" + depends="git=$pkgver-r$pkgrel" + + amove usr/bin/scalar + amove usr/libexec/git-core/scalar +} + +# catch-the-rest of stuff that needs perl +_git_perl() { + pkgdesc="Additional Git commands that requires perl" + depends="git=$pkgver-r$pkgrel perl-git=$pkgver-r$pkgrel perl" + install_if="git=$pkgver-r$pkgrel perl" + + mkdir -p "$subpkgdir"/usr/lib + cd "$pkgdir" + find . -type f -print0 | xargs -0 file --mime-type | grep perl | cut -d: -f1 | while read -r f; do + amove "$f" + done + find "$subpkgdir" -name perllocal.pod -delete +} + +# Prints values of the Config.pm variable $1. +_perl_config() { + perl -e "use Config; print \$Config{$1};" +} + +sha512sums=" +a215bc6d89afbddd56adac901c24ea2b7f98a37bf6a6a2756893947012ffaa850e76247a3445a5ab13ab5a462f39986fec33eed086148aba5eb554dc1799fee0 git-2.41.0.tar.xz +89528cdd14c51fd568aa61cf6c5eae08ea0844e59f9af9292da5fc6c268261f4166017d002d494400945e248df6b844e2f9f9cd2d9345d516983f5a110e4c42a git-daemon.initd +fbf1f425206a76e2a8f82342537ed939ff7e623d644c086ca2ced5f69b36734695f9f80ebda1728f75a94d6cd2fcb71bf845b64239368caab418e4d368c141ec git-daemon.confd +be5d568fc5b8b84c9afb97b31e471e41f32ccfe188eba0588ea0ef98b2d96c2ce4b2c1a3d70e88205aa4f6667f850b3f32c13bbb149ecddbf670344c162a4e25 fix-t4219-with-sticky-bit.patch +" diff --git a/backports/git/fix-t4219-with-sticky-bit.patch b/backports/git/fix-t4219-with-sticky-bit.patch new file mode 100644 index 0000000..54ac184 --- /dev/null +++ b/backports/git/fix-t4219-with-sticky-bit.patch @@ -0,0 +1,48 @@ +The last test of t4129 creates a directory and expects its setgid bit +(g+s) to be off. But this makes the test fail when the parent directory +has the bit set, as setgid's state is inherited by newly created +subdirectories. Make the test more robust by accepting the presence of +the setgid bit on the created directory. We only allow 'S' (setgid on +but no executable permission) and not 's' (setgid on with executable +permission) because the previous 'umask 0077' shouldn't allow the second +scenario to happen. + +Note that only subdirectories inherit this bit, so we don't have to make +the same change for the regular file that is also created by this test. +But checking the permissions using grep instead of test_cmp makes the +test a little simpler, so let's use it for the regular file as well. + +Also note that the sticky bit (+t) and the setuid bit (u+s) are not +inherited, so we don't have to worry about those. + +Reported-by: Kevin Daudt +Signed-off-by: Matheus Tavares +--- + t/t4129-apply-samemode.sh | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/t/t4129-apply-samemode.sh b/t/t4129-apply-samemode.sh +index 41818d8315..3818398ca9 100755 +--- a/t/t4129-apply-samemode.sh ++++ b/t/t4129-apply-samemode.sh +@@ -90,12 +90,10 @@ test_expect_success POSIXPERM 'do not use core.sharedRepository for working tree + rm -rf d f1 && + git apply patch-f1-and-f2.txt && + +- echo "-rw-------" >f1_mode.expected && +- echo "drwx------" >d_mode.expected && +- test_modebits f1 >f1_mode.actual && +- test_modebits d >d_mode.actual && +- test_cmp f1_mode.expected f1_mode.actual && +- test_cmp d_mode.expected d_mode.actual ++ test_modebits f1 >f1_mode && ++ test_modebits d >d_mode && ++ grep "^-rw-------$" f1_mode && ++ grep "^drwx--[-S]---$" d_mode + ) + ' + +-- +2.29.2 + + diff --git a/backports/git/git-daemon.confd b/backports/git/git-daemon.confd new file mode 100644 index 0000000..69b209f --- /dev/null +++ b/backports/git/git-daemon.confd @@ -0,0 +1,19 @@ +# conf.d file for git-daemon +# +# Please check man 1 git-daemon for more information about the options +# git-daemon accepts. You MUST edit this to include your repositories you wish +# to serve. +# +# Some of the meaningful options are: +# --syslog --- Enables syslog logging +# --verbose --- Enables verbose logging +# --export-all --- Exports all repositories +# --port=XXXX --- Starts in port XXXX instead of 9418 +# +GITDAEMON_OPTS="--syslog --base-path=/var/git" + +# To run an anonymous git safely, the following user should be able to only +# read your Git repositories. It should not be able to write to anywhere on +# your system, esp. not the repositories. +GIT_USER="nobody" +GIT_GROUP="nobody" diff --git a/backports/git/git-daemon.initd b/backports/git/git-daemon.initd new file mode 100644 index 0000000..394feb9 --- /dev/null +++ b/backports/git/git-daemon.initd @@ -0,0 +1,13 @@ +#!/sbin/openrc-run +# Copyright 1999-2014 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Id$ + +pidfile="/var/run/git-daemon.pid" +command="/usr/bin/git" +command_args="daemon ${GITDAEMON_OPTS}" +start_stop_daemon_args="-e HOME= -e XDG_CONFIG_HOME= -b -m -p ${pidfile} -u ${GIT_USER:-nobody}:${GIT_GROUP:-nobody}" + +depend() { + use logger +}