Update the vendored golang.org/x/crypto module to the
latest version, which in turn updates the vendored copy
of the x/sys module.
While the portions of x/crypto vendored into this project do
not actually change at all, updating the module's entry in
vendor/modules.txt and go.{mod,sum} means we will not be
flagged by security scanners regarding CVE-2020-29652 in the
x/crypto/ssh library code.
The Git LFS client should not be affected by that security
issue, since we do not use the ssh component of the x/crypto
module.
The specific commands run to perform this update were:
go get golang.org/x/crypto@latest &&
go mod tidy && go mod vendor
When using Go 1.16 in CI, go get is upgrading some of our dependencies
automatically, and since these items are not in the go.sum file, Go
complains and refuses to build our binary. Let's bump the relevant
dependencies and vendor the resulting modules to make sure that Go can
build our binary successfully on a fresh Go 1.16.
Update x/text to v0.3.5 that fixes CVE-2020-28852.
The specific commands used for this update:
"go get golang.org/x/text@latest && go mod tidy && go mod vendor"
Update the vendored golang.org/x/net module to the latest
version, which in turn updates the vendored copy of the
golang.org/x/text module to 0.3.3. That version of x/text
includes a mitigation of CVE-2020-14040, which pertains to
processing UTF-16 data with a Byte Order Mark.
The Git LFS client should not be affected by that security
issue, since it does not open streams in UTF-16 mode, but
we update our modules to stay current with the upstream Go
sources and also to avoid being flagged by security scanners.
The specific commands run to perform this update were:
"go get golang.org/x/net@latest && go mod tidy && go mod vendor"
Use the IoctlFileClone ioctl wrapper provided by golang.org/x/sys/unix
instead of locally implementing it. This also fixes the ioctl on
GOARCHes where the value of FICLONE is different from the currently used
ioctlFiClone value (e.g. mips64/mips64le and ppc64/ppc64le).
This PR also bumps the version of golang.org/x/sys to get
IoctlFileClone and updates its vendored version by running
`go get golang.org/x/sys@latest && go mod tidy && go mod vendor`.
We'll need some additional dependencies to add support for Kerberos to
Git LFS. In order to support HTTP SPNEGO (Negotiate) support, add the
required modules and vendor their dependencies.
The original parser that was used in #3825 brings in a lot of
dependencies that complicate packaging git-lfs. This replaces it with a
small parser I wrote with almost no dependencies. I've tested this as
extensively as i can and it seems to work correctly.
Vendor the `golang.org/x/net` dependency. This will be used in a
future commit to add HTTP/2 transport support.
Note that due to the way go modules work, the `golang.org/x/sys`
dependency was updated as well when running `make vendor`.
In a future commit, we'll introduce a use of the semaphore package to
prevent goroutines from accidentally running us out of resources. Add
the package to go.mod and go.sum and vendor it in.
We use package github.com/olekukonko/ts to issue IOCTL's to gather the
terminal size of the calling terminal in order to determine the length
of lines we attempt to print.
Until now, we have used revision ecf753e7c962, which is over 4 years
old. Since then, github.com/olekukonko/ts has introduced support for
Solaris, which we previously could not build or run on because package
syscall on Solaris does not export an IOCTL constant.
Let's upgrade to the latest version, and bring in support for Solaris.