remove unneded wbuf->fd = -1 There's no need to set the fd to -1 on ibufs created with imsg_create(3), and it was probably never needed.

convert to use imsg_get_fd() While here also fix a fd leak in got-read-pack. We were dup'ing imsg.fd without closing imsg.fd later; instead just use imsg_get_fd() to extract the file descriptor. Tested by falsifian and Kyle Ackerman, thanks! 'go ahead' stsp@

portable: configure: split out dependencies Rather than assume all dependencies are required for all programs, split them out. This will make packaging easier, as well as splitting the code to use subprojects. Note that due to the use of config.h semantics, in most cases the got_compat.h header file is now at the top of the .c file it is included in, so that it can handle the system header inclusion properly.

portable: rework SHA detection Simply the SHA detection by not predicating on libcrypto, but instead checking individual header files.

portable: remove sha1.h; found portably Remove sha1.h as this is found portably across systems.

include sha2.h too where sha1.h is included In preparation for wide sha256 support; stsp@ agrees. Change done mechanically with find . -iname \*.[cy] -exec sam {} + X ,x/<sha1\.h>/i/\n#include <sha2.h>

portable: add back sys/queue.h Now that the handling of including sys/queue.h is better, there's no need to remove those lines from the source. Copy the location of those original sys/queue.h lines from upstream at the same line number, so as to avoid any conflicts in the future.

add signer_id option to got.conf(5) Setting this option will cause 'got tag' to sign all created tags using the SSH key, unless overridden by the -s flag. ok stsp@

create and verify tags signed by SSH keys This adds a new -s flag to 'got tag' that specifies the signer identity (for example, a key file) of the tagger. The tag object will include a signature that validates each of the tag object headers and the tag message. Verifying these signed tags requires maintaining an allowed signers file which maps signer identities (i.e. the email address of the tagger) to SSH public keys. See ssh-keygen(1) for more details of the allowed signers file. After creating this file and providing the path to it in got.conf(5) using the allowed_signers option, tags may be verified using with 'got tag -V tag_name'. The return code will be non-zero if a signature fails to verify. ok stsp@

use capsicum on FreeBSD Thanks to the design of Got, the libexec helpers don't need any resource (in fact they run under pledge "stdio recvfd" on OpenBSD) and so using cap_enter(2) on FreeBSD is dead-easy. While the main process can't be sandboxed on FreeBSD (needs to exec the helpers), all the tough work is done by these small libexec helpers which is also the biggest attack surface. tested by naddy, ok thomas

imsg_add() frees its msg argument on error; avoid double-free in error paths

portable: add support for landlock landlock is a new set of linux APIs that is conceptually similar to unveil(2): the idea is to restrict what a process can do on a specified part of the filesystem. There are some differences in the behaviour: the major one being that the landlock ruleset is inherited across execve(2). This just restricts the libexec helpers by completely revoking ANY filesystem access; after all they are the biggest attack surface. got send/fetch/clone *may* end up spawning ssh(1), so at the moment is not possible to landlock the main process. From Omar Polo.

portable: add FreeBSD support This adds the capability to compile got-portable on FreeBSD.

portable: initial Linux compilation This commit modifies the GoT main branch to be able to compile it under linux.

tweak implementation of separate send {} and fetch {} conf blocks Tweak man page. Factor out repeated code in if/else branches in send_gotconfig_remotes(). ok stsp@

provide separate send {} and fetch {} configuration blocks in got.conf Feature requested by naddy. ok naddy, who also suggested some tweaks that will arrive shortly

validate non-optional settings in send {} and fetch {} config blocks.

make close(2) failure checks consistent; check 'close() == -1' everywhere ok millert, naddy

add a 'reference' directive to remote repositories in got.conf(5) Make use of this in 'got clone' to persist -R option arguments given on the command line in the cloned repository's got.conf(5) file.

add a 'fetch-all-branches' configuration setting to got.conf(5) Set fetch-all-branches in the got.conf(5) file created by 'got clone -a' in order to make a future 'got fetch' act like 'got fetch -a' by default.

add "branch" keyword to got.conf which specifies a list of branches to fetch ok tracey

remove redundant leading slashes from repository path parsed from got.conf

fix got.conf overriding GOT_AUTHOR even if no author is set in got.conf

do not rely on <zlib.h> to pull in <unistd.h>

Stop including <sys/syslimits.h> directly. POSIX says the limits defined there are available from <limits.h>, which almost all affected source files already included anyway. ok millert stsp