mirrors/git-annex
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
32272 commits 13 branches 442 tags 103 MiB
Commit graph

32272 commits

This branch
This branch
All branches
Author SHA1 Message Date
CandyAngel
b356b2405c Added a comment 2018-06-26 10:38:21 +00:00
branchable@bafd175a4b99afd6ed72501042e364ebd3e0c45e
5162395494 Added a comment: Not working on OnePlus 5T either 2018-06-26 10:32:09 +00:00
Joey Hess
c913f39dc8 tagging git-annex 6.20180626 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEKKUAw1IH6rcvbA8l2xLbD/BfjzgFAlsxuvMACgkQ2xLbD/Bf
 jzi5ig/5Ade5LcRZTW6mGVG6u4rqEW3/I5Mj5m66YO+oPDY8AKPou90e/pagoK3r
 IPL4+VftlZCP4EFFvmp5zz/H4tFV+D+wh3iU0QOMuKLN+3pBgawNm9pKNHSW6U8B
 yao+Ztydo4BPmws2SIusEjVq5MAsS5uq+zDW837MsOuQn+RMuaekU4ryhlp3HDGF
 IkcwfoTZCKgXnv+eOzsrH8vFXHYWOFUzf22KrdaDPGQ7K13jqYk//2EjlEdBWv74
 o00BNRNK+vrp5syCFwxtGVgNPssnDkeGlPn6CCqo/erR3e5hYxFVVZpMQJs9W+7i
 yQK5/0OkkrTnknN+hnf08RUTfiI7jssY96lsUPw3qZcrcRNyBGE1vgeP+hLvO5vu
 7RcIwydts3wHrWNlPL2o6lvShItqzrhl9mMELlcsXSh+gU3DifmRwPiBTqu5dwMg
 LczlM0+AyfT1IK0JpxaxgZwzuKUyJuvYX4THUZkT0Bx/XGhrc1zv/Io3qRR4vHt+
 NIbMJqEiJHeGGfdqvrb3rR2liYUwxW9ndRnndNHJS7FxyPncIteLf1yK5Awl/G7c
 dMGWSDhgXxIbMaVKqFhWBZEmEhNn46eJXCH8vJF6zVU22Lr2ZliRKnOG7n9CPoa8
 4c6lxkr8HxtOMZ8MQmmv5oSiUh77Tcu1rfhpF5Igo7yoEqMTUa0=
 =0roY
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEKKUAw1IH6rcvbA8l2xLbD/BfjzgFAlsxu1QACgkQ2xLbD/Bf
 jziFjA/+PuNTVc4gJm1fGdMv/cQXjUgMqDhXc551OgYJvZpm14OKOw2ucVQb14Tg
 8/HCC+F12XqINiqlVFXmTKXExbaF9lN9f5pnqj6nhe72ZVfTZG6oFpAsKpmB8fyW
 e5vuJgTqCNYy69oTSf7jlGOueOiyxPp2pkZdyaykgC76cmzM35nMo4Nxfs8zwol0
 E7MwpGXveBjGmoN84q0R9hgNfcTxL3e3k2UzMXr5Pfsej97bh4rBqxs5S+578SWa
 WK3y2EMci7NMQUeJzI4iI9AAIpyMJ/SaqKRc1Z/DSc0csPmpDjjbYEHHNoOTpRDV
 fKUwqsLN5TG5mZosruAxzLG1Xw+y67QPz/788Fi+6+mwhW7BiWyoU+aPhYxhVUVU
 lsuMNo/ITgWHRsgQ88hHQLZCKraDgOO2Ema6NdzFH4UNH5nrR5fWM/EqOHbeqFPT
 6qLKLBhW0HHjm5DBdPjLhRbKQtZ9ggqOYRRzl5Tkzo3sDw+dd3ODiKfaePABhG+w
 5sTq+pFVDh6dzO0ZpdYP36KaRnnaGzDaGGqQ29Eaf88PLBoPySmqAvsdrgyYXQsh
 nnYBv5n3tZRt32d5BbeilDxMb0DJAILKciohT5qsIyyeLwLNkn+2veyO/68r1OvN
 aPc/n4I4rsF9+dAPZqEfNOZcQhlVpXi7JIQLxH2DTp7nW6CAHXc=
 =Rxbj
 -----END PGP SIGNATURE-----

Merge tag '6.20180626'

tagging git-annex 6.20180626

# gpg: Signature made Tue Jun 26 00:02:59 2018 JEST
# gpg:                using RSA key 28A500C35207EAB72F6C0F25DB12DB0FF05F8F38
# gpg: Good signature from "Joey Hess <joeyh@joeyh.name>" [unknown]
# gpg:                 aka "Joey Hess <id@joeyh.name>" [unknown]
# gpg:                 aka "Joey Hess <joey@kitenet.net>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg:          There is no indication that the signature belongs to the owner.
# Primary key fingerprint: E85A 5F63 B31D 24C1 EBF0  D81C C910 D922 2512 E3C7
#      Subkey fingerprint: 28A5 00C3 5207 EAB7 2F6C  0F25 DB12 DB0F F05F 8F38
 2018-06-26 00:04:36 -04:00
Joey Hess
df91a5cffe
commit to get right release date 
Autobuilds use the date of last commit as the version,
so this will make version be 6.20180626.

(This is probably a misfeature of the build system.)
 2018-06-26 00:00:40 -04:00
Joey Hess
561e4531e5
announcing the security fix release 2018-06-25 22:14:32 -04:00
Joey Hess
dc6cb6aa5f
Merge branch 'later' 2018-06-25 21:59:20 -04:00
Joey Hess
3160cadba3 git-annex version 6.20180626 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEKKUAw1IH6rcvbA8l2xLbD/BfjzgFAlstCaQACgkQ2xLbD/Bf
 jzh5nxAAn7D9soTI0ex6AVDDo2CjOyTTDVrIcl2h5XizfuUD3ev5P0TR3BZmzpAb
 MI6uaZ8kxqZ/eGAsBTyH9PsV7QVYIdht9t89ytP4xWyTQiOgjyJeA6PnJl4zVK9z
 Y8Of3mlylaz+97+sndljpsvy/KHENrHI7HHd+qxAu7wKysJxG6fJB7CjremkjaCI
 zAwg3mIy72ZKyuR/8hL9puJN9fdfw1ulkzQR+he007e/HkurPCwgRAOYW/Aa2tpY
 Oigdb9a6/0nl/VnOS8ZyHrSPRrhLH9c4IBmsdC1Xt5NDVmID/sWgD9uPF9dsHSMF
 OM25QdSlJ5cSNg+/XCpmmhC9MjgKkuVNpZ/fWBaHFs6KYgGhtZcAayQdz5AmMS2N
 HTPWB1IxZiV5TQHQpLbdH/q3RfNtRq1G1tc24zpd/zdhzijeTM6D8n4No6LXNq8X
 7U0qcrp9TdLOpBCTf6Jrg/7qFaXddHoEW1e3KrsOmB0hlYHuNxfY4bs0+ROeXGOT
 00koezcbF8kEI0ekoDvJjtVqaUq+608YjJZ5v7dE0vbtTj0KGbl5EHwC9atUluCX
 MHyTDY89uq68g4HIDytL001ZLvE3EUGJc4jh3+OMDzuZSKB5uwJIIky+qIaQu34K
 QJrZuyAIY0sVFV6LUX9nwqTW6Nnx/bB+kZ6k0+gx+Lpf7pUpE+o=
 =kex4
 -----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEKKUAw1IH6rcvbA8l2xLbD/BfjzgFAlsxnX4ACgkQ2xLbD/Bf
 jzjK1xAAnJ58ZxLyTYlCZRcKiR81UHS/Mk6+SDAjRIRbT0SsY+6gSP55XKjrcuOb
 Jatp+6cNNSgk2lBpn37mq+rYIqboFh9moDRK7JSh1mDHCVtIwdARGblFRfuwaWPi
 xHnu+Pj43+SP7OF+8qP8/kDM+js3iMS+0gvBBz8pQN/yJDROXii6u0eONOd7vbER
 iRY9QpJdj5lp3hjaWfXt5iJC0re0eOAY4eUSHPsFIASysShnn33dFPOZ2hbhRKjR
 unQHUVIUE+ehmW3w9qIqn+9v2kca7laGK11cvzYRpmu/9rrvpf+RF1h42S8822dP
 CKHvxDkBGbyqTA+F9/6zpU1i9/ARgHFDpScRcdq7ZJi9FbWabKDklHCsgxwrkdXb
 +FXgb7N5Sa4+eVDNUf4rxldtLPX53nrtZ3IqrGiCWApCvbysNyP5kE0nix02l9z2
 xzY2vlpicx7TOMoO9mZesSFNgRzuFAbbya/zDJrz+xfgSRYXRYg58yTpmhpTFvSI
 h3Fw6+MYvehvRdAweLtoQt2p/UV2MAWrTpNzFoqgf2OCQOiH97ACDHn8Yki9rnQi
 NuMsqv9WOYQs4SaygDZMKemgAxftf3uaXiBW0RzHHwwWnDjHhqsEioOvOhNNyZbz
 U3OjKrH1JZlkNHlIBQD4BsWGLlIct66ZTU3k2OxPEp+mpEG/Xi4=
 =p+cW
 -----END PGP SIGNATURE-----

Merge tag '6.20180626' - previously embargoed security release
 2018-06-25 21:56:43 -04:00
Joey Hess
74890e1457
set 6.20180626 as urgent upgrade 
This causes the webapp to tell the user's it's an urgent upgrade, which
this security fix is.
 2018-06-25 21:52:02 -04:00
Yaroslav Halchenko
fd725a0bb1
NF: a standalone-no-LOCPATH patch for the Debian standalone build 2018-06-25 13:54:14 -04:00
bqone@ea19c1433d6c23d05a56fe7b055d92010ab75ffb
89a2c1b220 Added a comment: Not working on OnePlus 6 2018-06-25 15:57:13 +00:00
Joey Hess
6091b7b9db
info: Display uuid and description when a repository is identified by uuid, and for "here". 2018-06-24 17:38:18 -04:00
Joey Hess
a5228ac765
Support configuring remote.web.annex-cost and remote.bittorrent.annex-cost 
Seems that has never worked before due to oversight.
 2018-06-24 17:31:22 -04:00
Joey Hess
57dc30a029
finalize release 2018-06-22 10:37:01 -04:00
Joey Hess
47cd6923b4
mention new limitation 2018-06-22 10:30:10 -04:00
Joey Hess
dab55715da
add link to advistory 2018-06-22 10:27:22 -04:00
Joey Hess
3976b89116
fix license date 
I wrote this this year
 2018-06-22 10:25:53 -04:00
yves.noirjean@3f9b06d19a920fbf5c82340c362e5971b00d4af2
5d8d4de172 Added a comment 2018-06-22 07:53:26 +00:00
Joey Hess
eb8a8976a9
comment 2018-06-21 20:54:02 -04:00
Joey Hess
9faef71650
add upgrade note 2018-06-21 18:16:44 -04:00
Joey Hess
fff1825f13
adjust version 2018-06-21 16:50:41 -04:00
Joey Hess
787e46a44b
note that glacier was also limited 2018-06-21 16:40:31 -04:00
Joey Hess
05ecee0db4
set ddar to RetrievalAllKeysSecure 
Based on information from Robie Basak.
 2018-06-21 16:38:47 -04:00
Joey Hess
4a89728d64
close 2018-06-21 15:49:11 -04:00
Joey Hess
a5460132a6
update version 2018-06-21 14:56:04 -04:00
Joey Hess
66b14b5d66
devblog 2018-06-21 14:50:20 -04:00
Joey Hess
f1b29dbeb4
don't assume boto will remain secure 
On second thought, best to default to being secure even if boto changes
http libraries to one that happens to follow redirects.
 2018-06-21 14:14:56 -04:00
Joey Hess
838b65bd6b
update status 2018-06-21 13:45:07 -04:00
Joey Hess
b657242f5d
enforce retrievalSecurityPolicy 
Leveraged the existing verification code by making it also check the
retrievalSecurityPolicy.

Also, prevented getViaTmp from running the download action at all when the
retrievalSecurityPolicy is going to prevent verifying and so storing it.

Added annex.security.allow-unverified-downloads. A per-remote version
would be nice to have too, but would need more plumbing, so KISS.
(Bill the Cat reference not too over the top I hope. The point is to
make this something the user reads the documentation for before using.)

A few calls to verifyKeyContent and getViaTmp, that don't
involve downloads from remotes, have RetrievalAllKeysSecure hard-coded.
It was also hard-coded for P2P.Annex and Command.RecvKey,
to match the values of the corresponding remotes.

A few things use retrieveKeyFile/retrieveKeyFileCheap without going
through getViaTmp.
* Command.Fsck when downloading content from a remote to verify it.
  That content does not get into the annex, so this is ok.
* Command.AddUrl when using a remote to download an url; this is new
  content being added, so this is ok.

This commit was sponsored by Fernando Jimenez on Patreon.
 2018-06-21 13:37:01 -04:00
Joey Hess
c981683f77
date deferred devblogs 2018-06-21 12:28:53 -04:00
yves.noirjean@3f9b06d19a920fbf5c82340c362e5971b00d4af2
03bef4f2cc Added a comment 2018-06-21 16:15:05 +00:00
Joey Hess
4315bb9e42
add retrievalSecurityPolicy 
This will be used to protect against CVE-2018-10859, where an encrypted
special remote is fed the wrong encrypted data, and so tricked into
decrypting something that the user encrypted with their gpg key and did
not store in git-annex.

It also protects against CVE-2018-10857, where a remote follows a http
redirect to a file:// url or to a local private web server. While that's
already been prevented in git-annex's own use of http, external special
remotes, hooks, etc use other http implementations and could still be
vulnerable.

The policy is not yet enforced, this commit only adds the appropriate
metadata to remotes.

This commit was sponsored by Boyd Stephen Smith Jr. on Patreon.
 2018-06-21 11:36:36 -04:00
Joey Hess
537935333f
document CVE-2018-10859 2018-06-21 11:27:56 -04:00
Joey Hess
22f49f216e
get android building the security fix 
Had to update http-client and network, with follow-on dep changes.

This commit was sponsored by Brock Spratlen on Patreon.
 2018-06-21 10:23:04 -04:00
jared@ce91556d9548d318ec3f690b5f9bc33721256e4d
5f64260ce3 Added a comment: Unable to access public s3 remote without S3 credentials. 2018-06-21 13:47:27 +00:00
ruskie
e242655563 2018-06-21 10:13:23 +00:00
Joey Hess
991265e724
version deps 
need at least http-client-0.4.31 to build now, and connection-0.2.6
 2018-06-19 19:55:22 -04:00
Joey Hess
c5166b56af
second vuln 2018-06-19 17:03:04 -04:00
Joey Hess
923578ad78
improve error message 
This commit was sponsored by Jack Hill on Patreon.
 2018-06-19 14:21:41 -04:00
Joey Hess
47cd8001bc
call base ManagerSetting's exception wrapper 
This commit was sponsored by Henrik Riomar on Patreon.
 2018-06-19 14:17:05 -04:00
Joey Hess
f34faad9aa
finalize changelog for release 2018-06-19 11:41:50 -04:00
Joey Hess
fc79f68404
support building on debian stable 
Specifically, http-client-0.4.31

This commit was supported by the NSF-funded DataLad project.
 2018-06-19 11:25:10 -04:00
Joey Hess
daac67c9b1
update 2018-06-18 18:01:33 -04:00
Joey Hess
c81b879d39
got a CVE number 2018-06-18 17:56:18 -04:00
Joey Hess
e00b3ab3d5
doc typo 2018-06-18 15:57:13 -04:00
Joey Hess
3c0a538335
allow ftp urls by default 
They're no worse than http certianly. And, the backport of these
security fixes has to deal with wget, which supports http https and ftp
and has no way to turn off individual schemes, so this will make that
easier.
 2018-06-18 15:37:17 -04:00
zjs@6d8d0d7eaa9899fb198baa3eb90d570c14abd2b8
ac71326021 Error trying to run git-annex on Android version 8.1 2018-06-18 19:03:35 +00:00
Joey Hess
c93b6c1e08
devblog 2018-06-18 14:27:16 -04:00
Joey Hess
71d39caf5c
add security page with current and past security holes 2018-06-18 14:19:58 -04:00
Joey Hess
cc08135e65
prevent using local http proxies per annex.security.allowed-http-addresses 
A local http proxy would bypass the security configuration. So,
the security configuration has to be applied when choosing whether to
use the proxy.

While http rebinding attacks against the dns lookup of the proxy IP
address seem very unlikely, this implementation does prevent them, since
it resolves the IP address once, checks it, and then reconfigures
http-client's proxy using the resolved address.

This commit was sponsored by Ole-Morten Duesund on Patreon.
 2018-06-18 13:32:20 -04:00
anarcat
6d2616f86e some issues with anonymous pushes 2018-06-18 12:48:16 +00:00