portable: add back sys/queue.h Now that the handling of including sys/queue.h is better, there's no need to remove those lines from the source. Copy the location of those original sys/queue.h lines from upstream at the same line number, so as to avoid any conflicts in the future.

add signer_id option to got.conf(5) Setting this option will cause 'got tag' to sign all created tags using the SSH key, unless overridden by the -s flag. ok stsp@

create and verify tags signed by SSH keys This adds a new -s flag to 'got tag' that specifies the signer identity (for example, a key file) of the tagger. The tag object will include a signature that validates each of the tag object headers and the tag message. Verifying these signed tags requires maintaining an allowed signers file which maps signer identities (i.e. the email address of the tagger) to SSH public keys. See ssh-keygen(1) for more details of the allowed signers file. After creating this file and providing the path to it in got.conf(5) using the allowed_signers option, tags may be verified using with 'got tag -V tag_name'. The return code will be non-zero if a signature fails to verify. ok stsp@

use capsicum on FreeBSD Thanks to the design of Got, the libexec helpers don't need any resource (in fact they run under pledge "stdio recvfd" on OpenBSD) and so using cap_enter(2) on FreeBSD is dead-easy. While the main process can't be sandboxed on FreeBSD (needs to exec the helpers), all the tough work is done by these small libexec helpers which is also the biggest attack surface. tested by naddy, ok thomas

imsg_add() frees its msg argument on error; avoid double-free in error paths

portable: add support for landlock landlock is a new set of linux APIs that is conceptually similar to unveil(2): the idea is to restrict what a process can do on a specified part of the filesystem. There are some differences in the behaviour: the major one being that the landlock ruleset is inherited across execve(2). This just restricts the libexec helpers by completely revoking ANY filesystem access; after all they are the biggest attack surface. got send/fetch/clone *may* end up spawning ssh(1), so at the moment is not possible to landlock the main process. From Omar Polo.

portable: add FreeBSD support This adds the capability to compile got-portable on FreeBSD.

portable: initial Linux compilation This commit modifies the GoT main branch to be able to compile it under linux.

tweak implementation of separate send {} and fetch {} conf blocks Tweak man page. Factor out repeated code in if/else branches in send_gotconfig_remotes(). ok stsp@

provide separate send {} and fetch {} configuration blocks in got.conf Feature requested by naddy. ok naddy, who also suggested some tweaks that will arrive shortly

validate non-optional settings in send {} and fetch {} config blocks.

make close(2) failure checks consistent; check 'close() == -1' everywhere ok millert, naddy

add a 'reference' directive to remote repositories in got.conf(5) Make use of this in 'got clone' to persist -R option arguments given on the command line in the cloned repository's got.conf(5) file.

add a 'fetch-all-branches' configuration setting to got.conf(5) Set fetch-all-branches in the got.conf(5) file created by 'got clone -a' in order to make a future 'got fetch' act like 'got fetch -a' by default.

add "branch" keyword to got.conf which specifies a list of branches to fetch ok tracey

remove redundant leading slashes from repository path parsed from got.conf

fix got.conf overriding GOT_AUTHOR even if no author is set in got.conf

do not rely on <zlib.h> to pull in <unistd.h>

Stop including <sys/syslimits.h> directly. POSIX says the limits defined there are available from <limits.h>, which almost all affected source files already included anyway. ok millert stsp

initialize variable in got-read-gotconfig to fix SIGBUS in free(3) on sparc64

add got.conf(5) configuration file ok tracey