git-annex/doc/news/version_6.20170228.mdwn

News for git-annex 6.20170228:

   This version of git-annex has mitigations for SHA1 hash collision
   problems.
   A new annex.securehashesonly configuration, when used in combination with
   signed git commits, avoids potential hash collision problems in git-annex
   repositories. For details, see this web page:
   &lt;https://git-annex.branchable.com/tips/using\_signed\_git\_commits/&gt;

git-annex 6.20170228 released with [[!toggle text="these changes"]]
[[!toggleable text="""
   * Cryptographically secure hashes can be forced to be used in a
     repository, by setting annex.securehashesonly.
     This does not prevent the git repository from containing links
     to insecure hashes, but it does prevent the content of such files
     from being added to .git/annex/objects by any method.
   * Tighten key parser to prevent SHA1 collision attacks generating
     two keys that have the same SHA1. (Only done for keys that contain
     a hash). This ensures that signed git commits of annexed files
     will remain secure, as long as git-annex is using a secure hashing
     backend.
   * fsck: Warn about any files whose content is present, that don't
     use secure hashes, when annex.securehashesonly is set.
   * init: When annex.securehashesonly has been set with git-annex config,
     copy that value to the annex.securehashesonly git config.
   * Added --securehash option to match files using a secure hash function,
     and corresponding securehash preferred content expression.
   * sync, merge: Fail when the current branch has no commits yet, instead
     of not merging in anything from remotes and appearing to succeed.
   * Run ssh with -n whenever input is not being piped into it,
     to avoid it consuming stdin that it shouldn't.
     This fixes git-annex-checkpresentkey --batch remote,
     which didn't output results for all keys passed into it. Other
     git-annex commands that communicate with a remote over ssh may also
     have been consuming stdin that they shouldn't have, which could have
     impacted using them in eg, shell scripts.
   * sync: Improve integration with receive.denyCurrentBranch=updateInstead,
     displaying error messages from the remote then it fails to update
     its checked out branch.
   * Added post-recieve hook, which makes updateInstead work with direct
     mode and adjusted branches.
   * init: Set up the post-receive hook.
   * sync: When syncing with a local repository located on a crippled
     filesystem, run the post-receive hook there, since it wouldn't get run
     otherwise. This makes pushing to repos on FAT-formatted removable
     drives update them when receive.denyCurrentBranch=updateInstead.
   * config group groupwanted numcopies schedule wanted required:
     Avoid displaying extraneous messages about repository auto-init,
     git-annex branch merging, etc, when being used to get information.
   * adjust: Fix behavior when used in a repository that contains
     submodules.
   * Run wget with -nv instead of -q, so it will display HTTP errors.
   * Run curl with -S, so HTTP errors are displayed, even when
     it's otherwise silent.
   * When downloading in --json or --quiet mode, use curl in preference
     to wget, since curl is able to display only errors to stderr, unlike
     wget.
   * status: Pass --ignore-submodules=when option on to git status.
   * config --set: As well as setting value in git-annex branch,
     set local gitconfig. This is needed especially for
     annex.securehashesonly, which is read only from local gitconfig and not
     the git-annex branch.
   * Removed support for building with the old cryptohash library.
     Building with that library made git-annex not support SHA3; it's time
     for that to always be supported in case SHA2 dominoes.
   * git-annex.cabal: Make crypto-api a dependency even when built w/o
     webapp and test suite."""]]
add news item for git-annex 6.20170228 2017-02-28 18:42:28 +00:00			`News for git-annex 6.20170228:`

			`This version of git-annex has mitigations for SHA1 hash collision`
			`problems.`
			`A new annex.securehashesonly configuration, when used in combination with`
			`signed git commits, avoids potential hash collision problems in git-annex`
			`repositories. For details, see this web page:`
			`<https://git-annex.branchable.com/tips/using\_signed\_git\_commits/>`

			`git-annex 6.20170228 released with [[!toggle text="these changes"]]`
			`[[!toggleable text="""`
			`* Cryptographically secure hashes can be forced to be used in a`
			`repository, by setting annex.securehashesonly.`
			`This does not prevent the git repository from containing links`
			`to insecure hashes, but it does prevent the content of such files`
			`from being added to .git/annex/objects by any method.`
			`* Tighten key parser to prevent SHA1 collision attacks generating`
			`two keys that have the same SHA1. (Only done for keys that contain`
			`a hash). This ensures that signed git commits of annexed files`
			`will remain secure, as long as git-annex is using a secure hashing`
			`backend.`
			`* fsck: Warn about any files whose content is present, that don't`
			`use secure hashes, when annex.securehashesonly is set.`
			`* init: When annex.securehashesonly has been set with git-annex config,`
			`copy that value to the annex.securehashesonly git config.`
			`* Added --securehash option to match files using a secure hash function,`
			`and corresponding securehash preferred content expression.`
			`* sync, merge: Fail when the current branch has no commits yet, instead`
			`of not merging in anything from remotes and appearing to succeed.`
			`* Run ssh with -n whenever input is not being piped into it,`
			`to avoid it consuming stdin that it shouldn't.`
			`This fixes git-annex-checkpresentkey --batch remote,`
			`which didn't output results for all keys passed into it. Other`
			`git-annex commands that communicate with a remote over ssh may also`
			`have been consuming stdin that they shouldn't have, which could have`
			`impacted using them in eg, shell scripts.`
			`* sync: Improve integration with receive.denyCurrentBranch=updateInstead,`
			`displaying error messages from the remote then it fails to update`
			`its checked out branch.`
			`* Added post-recieve hook, which makes updateInstead work with direct`
			`mode and adjusted branches.`
			`* init: Set up the post-receive hook.`
			`* sync: When syncing with a local repository located on a crippled`
			`filesystem, run the post-receive hook there, since it wouldn't get run`
			`otherwise. This makes pushing to repos on FAT-formatted removable`
			`drives update them when receive.denyCurrentBranch=updateInstead.`
			`* config group groupwanted numcopies schedule wanted required:`
			`Avoid displaying extraneous messages about repository auto-init,`
			`git-annex branch merging, etc, when being used to get information.`
			`* adjust: Fix behavior when used in a repository that contains`
			`submodules.`
			`* Run wget with -nv instead of -q, so it will display HTTP errors.`
			`* Run curl with -S, so HTTP errors are displayed, even when`
			`it's otherwise silent.`
			`* When downloading in --json or --quiet mode, use curl in preference`
			`to wget, since curl is able to display only errors to stderr, unlike`
			`wget.`
			`* status: Pass --ignore-submodules=when option on to git status.`
			`* config --set: As well as setting value in git-annex branch,`
			`set local gitconfig. This is needed especially for`
			`annex.securehashesonly, which is read only from local gitconfig and not`
			`the git-annex branch.`
			`* Removed support for building with the old cryptohash library.`
			`Building with that library made git-annex not support SHA3; it's time`
			`for that to always be supported in case SHA2 dominoes.`
			`* git-annex.cabal: Make crypto-api a dependency even when built w/o`
			`webapp and test suite."""]]`