Commit Briefs
make 'got fetch -b branch' error reporting more helpful
The patch to got-fetch-pack.c was written by stsp with only minor tweaks by me. Regress updated to account for the change in reporting. stsp's original got-fetch-pack.c diff ok op jamsek ok stsp@
special case 'got fetch -b <branch>' to only fetch <branch>
As discussed on irc, this drops the implicit remote HEAD fetch when -b is used. got.1 has been updated to make the new fetch behaviour clear. ok stsp@
got: use intermediate pointers to plug leak on realloc
And save worktree_branch_len for reuse. ok stsp@ and op@
fix interaction of 'got fetch -b', got.conf, and work tree
Without branches in got.conf for a remote, and without -b/-R options, the fallback to HEAD would only work when not invoked in a work tree. With this fix 'got fetch' should behave as described in the man page. The -b option now overrides both got.conf and the fallback to the work tree's branch. And fallback to HEAD works as expected when invoked in a repository. Also, do not strictly require remote repositories to provide a branch from the refs/heads/ namespace. In such cases users should be able to use -R to select something to fetch. ok jamsek
got: minor refactor of got_pathlist_free() API
Accept flag parameter to optionally specify which pointers to free. This saves callers looping through the list to free pointers. ok + fix stsp@
fix uninitialised fildes variables in libexec helpers
Reviewed and uncovered as part of the diff in the forthcoming commit (pathlist API refactor). ok stsp@
fix snprintf error handling
follow the "proper secure idiom" described in the CAVEATS section of printf(3). reminded by tb@ and millert@
convert two snprintf to strlcpy
"looks good to me" millert@
portable: add back sys/queue.h
Now that the handling of including sys/queue.h is better, there's no need to remove those lines from the source. Copy the location of those original sys/queue.h lines from upstream at the same line number, so as to avoid any conflicts in the future.
use capsicum on FreeBSD
Thanks to the design of Got, the libexec helpers don't need any resource (in fact they run under pledge "stdio recvfd" on OpenBSD) and so using cap_enter(2) on FreeBSD is dead-easy. While the main process can't be sandboxed on FreeBSD (needs to exec the helpers), all the tough work is done by these small libexec helpers which is also the biggest attack surface. tested by naddy, ok thomas
portable: add support for landlock
landlock is a new set of linux APIs that is conceptually similar to unveil(2): the idea is to restrict what a process can do on a specified part of the filesystem. There are some differences in the behaviour: the major one being that the landlock ruleset is inherited across execve(2). This just restricts the libexec helpers by completely revoking ANY filesystem access; after all they are the biggest attack surface. got send/fetch/clone *may* end up spawning ssh(1), so at the moment is not possible to landlock the main process. From Omar Polo.
let 'got fetch' send all references to the server to avoid redundant downloads
Problem reported by naddy. ok naddy
portable: add FreeBSD support
This adds the capability to compile got-portable on FreeBSD.