Since we're about to do a v3.0.0 release, let's bump the version to v3.
Make this change automatically with the following command to avoid any
missed items:
git grep -l github.com/git-lfs/git-lfs/v2 | \
xargs sed -i -e 's!github.com/git-lfs/git-lfs/v2!github.com/git-lfs/git-lfs/v3!g'
When our go.mod file was introduced in commit
114e85c2002091eb415040923d872f8e4a4bc636 in PR #3208, the module
path chosen did not include a trailing /v2 component. However,
the Go modules specification now advises that module paths must
have a "major version suffix" which matches the release version.
We therefore add a /v2 suffix to our module path and all its
instances in import paths.
See also https://golang.org/ref/mod#major-version-suffixes for
details regarding the Go module system's major version suffix rule.
The fix for CVE-2020-27955 was incomplete because we did not consider
places outside of the subprocess code that invoke binaries. As a
result, there are still some places where an attacker can execute
arbitrary code by placing a malicious binary in the repository.
To make sure we've covered all the bases, let's just use the subprocess
code for executing all programs, which means that they'll be secure. As
of this commit, all users of exec.Command are in test code or the
subprocess code itself.
When writing files to the LFS file storage, we create a temporary file
and rename it into its correct place. Use the function that was
recently introduced to create a temporary file that honors the umask.
This should make all uses of Git LFS honor the umask, since Git handles
writing the working tree files for us.
We compute the proper permissions value on demand. In a future commit,
we'll need to read the configuration file, and on clone, we'll want to
wait to read the configuration until we have a repository.
Add a test for this and skip it on Windows, since we cannot be
guaranteed to have POSIX permission support there.