One of our dependencies now requires Go 1.17. Bump the version in
go.mod accordingly. To please Go, now also run `go mod tidy`, which
separates the indirect dependencies into separate stanzas.
The version we're using is vulnerable to CVE-2022-32149. We don't use
the vulnerable code, but upgrade the remaining golang.org/x packages we
depend on, since the text package is merely a dependency of them. In
doing so, we'll update the text package, and avoid triggering any
warning from vulnerability scanners.
In addition, now that we're using released versions, it will be easier
to keep things up to date.
Versions before v3.0.0, including the version from 2020 we're using,
lack the patches in v3.0.1 that fix a security issue. Update to v3.0.1
to improve the security situation here.
Update the vendored golang.org/x/crypto and golang.org/x/text
modules to the latest versions, which in turn updates the vendored
copy of the golang.org/x/net and golang.org/x/sys modules.
Updating these modules' entries in vendor/modules.txt and go.{mod,sum}
means we will not be flagged by security scanners regarding either
CVE-2021-38561 or CVE-2022-27191, neither of which should actually
affect Git LFS.
The Git LFS client should not be affected by CVE-2021-38561 as it
pertains the Go x/text/language package and specifically the BCP 47
tag functions, which Git LFS does not use.
The Git LFS client should not be affected by CVE-2022-27191 as it
pertains to the Go x/crypto/ssh package and specifically a crash
vulnerability in the SSH server functions, which Git LFS does not use.
The specific commands run to perform this update were:
go get golang.org/x/crypto@latest &&
go get golang.org/x/text@latest &&
go mod tidy && go mod vendor
Bump gitobj to v2.1.0 to fix merges of tree entries where an
existing tree entry has a different file permissions mode than
the tree entry being merged with it. This should resolve the
problem with import migrations reported in issue #4796 where
existing .gitattributes files with the execute permission mode
set resulted in duplicate .gitattributes tree entries after
import, instead of a single merged entry.
After updating go.mod, the specific commands used for this update
were:
go mod tidy && go mod vendor
h/t bk2204 for spotting the simplest fix for this
Update the vendored golang.org/x/crypto module to the
latest version, which in turn updates the vendored copy
of the x/sys module.
While the portions of x/crypto vendored into this project do
not actually change at all, updating the module's entry in
vendor/modules.txt and go.{mod,sum} means we will not be
flagged by security scanners regarding CVE-2020-29652 in the
x/crypto/ssh library code.
The Git LFS client should not be affected by that security
issue, since we do not use the ssh component of the x/crypto
module.
The specific commands run to perform this update were:
go get golang.org/x/crypto@latest &&
go mod tidy && go mod vendor
Since we're about to do a v3.0.0 release, let's bump the version to v3.
Make this change automatically with the following command to avoid any
missed items:
git grep -l github.com/git-lfs/git-lfs/v2 | \
xargs sed -i -e 's!github.com/git-lfs/git-lfs/v2!github.com/git-lfs/git-lfs/v3!g'
Since Git LFS is only intended to be utilized as a compiled
binary and as we do not provide any guarantee of a stable API
or ABI, add notes this effect in go.mod and our main README.
When our go.mod file was introduced in commit
114e85c2002091eb415040923d872f8e4a4bc636 in PR #3208, the module
path chosen did not include a trailing /v2 component. However,
the Go modules specification now advises that module paths must
have a "major version suffix" which matches the release version.
We therefore add a /v2 suffix to our module path and all its
instances in import paths.
See also https://golang.org/ref/mod#major-version-suffixes for
details regarding the Go module system's major version suffix rule.
We have a pktline repository that provides our pkt-line code from Git
LFS, but separated out into a separate, reusable repository. The
current code is private to the git package, and since we'll want to
use it in the future from multiple packages, it makes sense to just use
the separate repository, which we want to do anyway.
Let's include the repository in our go.mod and vendor the modules.
Remove the old code and replace its use with the new code.
When using Go 1.16 in CI, go get is upgrading some of our dependencies
automatically, and since these items are not in the go.sum file, Go
complains and refuses to build our binary. Let's bump the relevant
dependencies and vendor the resulting modules to make sure that Go can
build our binary successfully on a fresh Go 1.16.
This version uses a newer version of the Kerberos library, which should
work better in some environments. Tidy the go.mod and go.sum files and
vendor the dependencies.
Update x/text to v0.3.5 that fixes CVE-2020-28852.
The specific commands used for this update:
"go get golang.org/x/text@latest && go mod tidy && go mod vendor"
Update the vendored golang.org/x/net module to the latest
version, which in turn updates the vendored copy of the
golang.org/x/text module to 0.3.3. That version of x/text
includes a mitigation of CVE-2020-14040, which pertains to
processing UTF-16 data with a Byte Order Mark.
The Git LFS client should not be affected by that security
issue, since it does not open streams in UTF-16 mode, but
we update our modules to stay current with the upstream Go
sources and also to avoid being flagged by security scanners.
The specific commands run to perform this update were:
"go get golang.org/x/net@latest && go mod tidy && go mod vendor"
Use the IoctlFileClone ioctl wrapper provided by golang.org/x/sys/unix
instead of locally implementing it. This also fixes the ioctl on
GOARCHes where the value of FICLONE is different from the currently used
ioctlFiClone value (e.g. mips64/mips64le and ppc64/ppc64le).
This PR also bumps the version of golang.org/x/sys to get
IoctlFileClone and updates its vendored version by running
`go get golang.org/x/sys@latest && go mod tidy && go mod vendor`.
Previously, trying to compile `util_darwin.go` against a recent version
of `golang/sys` library failed with:
```
util_darwin.go:127:3: undefined: unix.SYS_CLONEFILEAT
```
Go v1.12 removed the ability to use direct syscalls. The clonefile
system calls was added to the latest `golang/sys` in
https://github.com/golang/go/issues/41366, so we can use that now.
Git will start to support SHA-256 as a hash for repositories in the near
future. Let's update gitobj to version 2 to support SHA-256
repositories properly. We initialize the repository based on the
extensions.objectFormat value, if one is provided, since this is the
configuration key that represents the hash algorithm.
Vendor the proper dependencies in place.
We'll need some additional dependencies to add support for Kerberos to
Git LFS. In order to support HTTP SPNEGO (Negotiate) support, add the
required modules and vendor their dependencies.
Testing showed that while race condition analysis in #3880 was correct, the way it tries to fix that
does not work for the *first* git-lfs process that will actually perform file move.
Instead, this commit performs multiple attempts when working with files in LFS storage.
Similar logic is already implemented in "cmd/go/internal/robustio" and "cmd/go/internal/renameio" packages.
However, they are not public, so we cannot use them.
The original parser that was used in #3825 brings in a lot of
dependencies that complicate packaging git-lfs. This replaces it with a
small parser I wrote with almost no dependencies. I've tested this as
extensively as i can and it seems to work correctly.
Update wildmatch to v1.0.4 to fix an issue with matching non-ASCII
patterns.
Note that the version number is v1.0.4 instead of v1.0.3 because the
master branch of wildmatch contains changes which are valuable but not
currently compatible with Git LFS and v1.0.3 was mistakenly tagged from
these changes. These changes would break semantic versioning, so the
tag was deleted and v1.0.4 was tagged with only compatible changes.
We can adopt these incompatible changes in the future, but it's better
to fix this bug now since it is causing pain for multiple users rather
than wait to address these changes until the new wildmatch can be
included.
This declaration is automatically added by Go 1.13 if it doesn't exist
during any build step. Since we don't want the file to be modified
during normal use, explicitly declare it as 1.11, since that's the
oldest version we currently support.
Go 1.13 has become stricter and now requires that the timestamps in
go.mod reflect the commit timestamps. Update go.mod and go.sum to make
sure that Go 1.13 is happy.
Vendor the `golang.org/x/net` dependency. This will be used in a
future commit to add HTTP/2 transport support.
Note that due to the way go modules work, the `golang.org/x/sys`
dependency was updated as well when running `make vendor`.
The code which allocated and used a pty on Unix systems was unused, but
it did bring in a dependency on the github.com/kr/pty module. This
module is unmaintained and doesn't compile with gccgo. Since we no
longer need the pty code or this module, remove both of them.
The upstream of go-ntlm has archived its repository and is no longer
doing releases. Because this dependency is required for Git LFS, we've
created our own fork to ensure that the upstream repo doesn't disappear
on us. Use our own copy of go-ntlm within Git LFS.
In a future commit, we'll introduce a use of the semaphore package to
prevent goroutines from accidentally running us out of resources. Add
the package to go.mod and go.sum and vendor it in.
Update wildmatch to v1.0.2, which fixes the default case-sensitivity
settings such that Windows and Mac are case insensitive by default and
other Unices are case sensitive by default.
