git-annex 6.20180626 is an important security fix release.

See [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]]
for details about the security holes fixed in this release.

After upgrading git-annex, you should restart any git-annex assistant
processes.

Several changes to git-annex's behavior had to be made as part of the
security fixes:

* A security fix has changed git-annex to refuse to download content from
  some special remotes when the content cannot be verified with a hash check.
  In particular URL and WORM keys stored on such remotes won't be downloaded.
  See the documentation of the annex.security.allow-unverified-downloads
  configuration for how to deal with this if it affects your files.

* A security fix has changed git-annex to only support http, https, and ftp
  URL schemes by default. You can enable other URL schemes, at your own risk,
  using annex.security.allowed-url-schemes.

* A related security fix prevents git-annex from connecting to http
  servers (and proxies) on localhost or private networks. This can
  be overridden, at your own risk, using annex.security.allowed-ip-addresses.

* Setting annex.web-options no longer is enough to make curl be used,
  and youtube-dl is also no longer used by default. See the
  documentation of annex.security.allowed-http-addresses for
  details and how to enable them.

* The annex.web-download-command configuration has been removed,
  use annex.web-options instead.