make 'got fetch -b branch' error reporting more helpful The patch to got-fetch-pack.c was written by stsp with only minor tweaks by me. Regress updated to account for the change in reporting. stsp's original got-fetch-pack.c diff ok op jamsek ok stsp@

special case 'got fetch -b <branch>' to only fetch <branch> As discussed on irc, this drops the implicit remote HEAD fetch when -b is used. got.1 has been updated to make the new fetch behaviour clear. ok stsp@

got: use intermediate pointers to plug leak on realloc And save worktree_branch_len for reuse. ok stsp@ and op@

fix interaction of 'got fetch -b', got.conf, and work tree Without branches in got.conf for a remote, and without -b/-R options, the fallback to HEAD would only work when not invoked in a work tree. With this fix 'got fetch' should behave as described in the man page. The -b option now overrides both got.conf and the fallback to the work tree's branch. And fallback to HEAD works as expected when invoked in a repository. Also, do not strictly require remote repositories to provide a branch from the refs/heads/ namespace. In such cases users should be able to use -R to select something to fetch. ok jamsek

got_imsg_fetch_ref: use struct instead of buffer for id ok stsp@

got_imsg_fetch_have_ref: use struct instead of buffer for id ok stsp@

replace malloc+memcpy with strndup. no functional change intended ok stsp@

got: minor refactor of got_pathlist_free() API Accept flag parameter to optionally specify which pointers to free. This saves callers looping through the list to free pointers. ok + fix stsp@

fix uninitialised fildes variables in libexec helpers Reviewed and uncovered as part of the diff in the forthcoming commit (pathlist API refactor). ok stsp@

always cast ctype' is*() arguments to unsigned char ok stsp@

make 'got clone -b' work for repositories which lack a HEAD reference ok op@

avoid looping over SHA1Update() in got-fetch-pack; suggested by millert@

got-fetch-pack: fix wrong memmove length leading to dubious checksum failures ok millert tracey

remove trailing whitespace; patch by Josiah Frentsos

fix snprintf error handling follow the "proper secure idiom" described in the CAVEATS section of printf(3). reminded by tb@ and millert@

convert two snprintf to strlcpy "looks good to me" millert@

portable: add back sys/queue.h Now that the handling of including sys/queue.h is better, there's no need to remove those lines from the source. Copy the location of those original sys/queue.h lines from upstream at the same line number, so as to avoid any conflicts in the future.

use capsicum on FreeBSD Thanks to the design of Got, the libexec helpers don't need any resource (in fact they run under pledge "stdio recvfd" on OpenBSD) and so using cap_enter(2) on FreeBSD is dead-easy. While the main process can't be sandboxed on FreeBSD (needs to exec the helpers), all the tough work is done by these small libexec helpers which is also the biggest attack surface. tested by naddy, ok thomas

imsg_add() frees its msg argument on error; avoid double-free in error paths

apply time-based rate-limiting to got-fetch-pack download progress output

portable: add support for landlock landlock is a new set of linux APIs that is conceptually similar to unveil(2): the idea is to restrict what a process can do on a specified part of the filesystem. There are some differences in the behaviour: the major one being that the landlock ruleset is inherited across execve(2). This just restricts the libexec helpers by completely revoking ANY filesystem access; after all they are the biggest attack surface. got send/fetch/clone *may* end up spawning ssh(1), so at the moment is not possible to landlock the main process. From Omar Polo.

plug memory leaks in got-fetch-pack and got-send-pack ok naddy

let 'got fetch' send all references to the server to avoid redundant downloads Problem reported by naddy. ok naddy

fix some integers that had a slightly wrong type; patch by Omar Polo

portable: add FreeBSD support This adds the capability to compile got-portable on FreeBSD.