Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package git-crypt for openSUSE:Factory checked in at 2022-04-23 19:46:59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/git-crypt (Old) and /work/SRC/openSUSE:Factory/.git-crypt.new.1538 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "git-crypt" Sat Apr 23 19:46:59 2022 rev:2 rq:972297 version:0.7.0 Changes: -------- --- /work/SRC/openSUSE:Factory/git-crypt/git-crypt.changes 2018-02-01 21:30:06.771040732 +0100 +++ /work/SRC/openSUSE:Factory/.git-crypt.new.1538/git-crypt.changes 2022-04-23 19:49:08.675210060 +0200 @@ -1,0 +2,7 @@ +Sat Apr 23 08:58:51 UTC 2022 - Adam Mizerski <a...@mizerski.pl> + +- update to 0.7.0 + - Fix handling of "-" arguments. + - Minor documentation improvements. + +------------------------------------------------------------------- Old: ---- git-crypt-0.6.0.tar.gz New: ---- git-crypt-0.7.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ git-crypt.spec ++++++ --- /var/tmp/diff_new_pack.bm1ELC/_old 2022-04-23 19:49:09.111210578 +0200 +++ /var/tmp/diff_new_pack.bm1ELC/_new 2022-04-23 19:49:09.119210588 +0200 @@ -1,7 +1,7 @@ # # spec file for package git-crypt # -# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,15 +12,15 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: git-crypt -Version: 0.6.0 +Version: 0.7.0 Release: 0 Summary: Transparent file encryption in git -License: GPL-3.0+ +License: GPL-3.0-or-later Group: Productivity/Security URL: https://www.agwa.name/projects/git-crypt/ Source: https://www.agwa.name/projects/git-crypt/downloads/git-crypt-%{version}.tar.gz ++++++ git-crypt-0.6.0.tar.gz -> git-crypt-0.7.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/CONTRIBUTING.md new/git-crypt-0.7.0/CONTRIBUTING.md --- old/git-crypt-0.6.0/CONTRIBUTING.md 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/CONTRIBUTING.md 2022-04-21 19:08:16.000000000 +0200 @@ -4,8 +4,7 @@ When contributing code, please consider the following guidelines: - * You are encouraged to open an issue on GitHub or send mail to - git-crypt-disc...@lists.cloudmutt.com to discuss any non-trivial + * You are encouraged to open an issue on GitHub to discuss any non-trivial changes before you start coding. * Please mimic the existing code style as much as possible. In @@ -15,8 +14,7 @@ * To minimize merge commits, please rebase your changes before opening a pull request. - * To submit your patch, open a pull request on GitHub or send a - properly-formatted patch to git-crypt-disc...@lists.cloudmutt.com. + * To submit your patch, open a pull request on GitHub. Finally, be aware that since git-crypt is security-sensitive software, the bar for contributions is higher than average. Please don't be diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/NEWS new/git-crypt-0.7.0/NEWS --- old/git-crypt-0.6.0/NEWS 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/NEWS 2022-04-21 19:08:16.000000000 +0200 @@ -1,3 +1,8 @@ +v0.7.0 (2022-04-21) + * Avoid "argument list too long" errors on macOS. + * Fix handling of "-" arguments. + * Minor documentation improvements. + v0.6.0 (2017-11-26) * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0). * Switch to C++11 (gcc 4.9 or higher now required to build). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/NEWS.md new/git-crypt-0.7.0/NEWS.md --- old/git-crypt-0.6.0/NEWS.md 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/NEWS.md 2022-04-21 19:08:16.000000000 +0200 @@ -1,6 +1,11 @@ News ==== +######v0.7.0 (2022-04-21) +* Avoid "argument list too long" errors on macOS. +* Fix handling of "-" arguments. +* Minor documentation improvements. + ######v0.6.0 (2017-11-26) * Add support for OpenSSL 1.1 (still works with OpenSSL 1.0). * Switch to C++11 (gcc 4.9 or higher now required to build). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/README new/git-crypt-0.7.0/README --- old/git-crypt-0.6.0/README 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/README 2022-04-21 19:08:16.000000000 +0200 @@ -30,6 +30,7 @@ secretfile filter=git-crypt diff=git-crypt *.key filter=git-crypt diff=git-crypt + secretdir/** filter=git-crypt diff=git-crypt Like a .gitignore file, it can match wildcards and should be checked into the repository. See below for more information about .gitattributes. @@ -54,7 +55,7 @@ $ git-crypt export-key /path/to/key -After cloning a repository with encrypted files, unlock with with GPG: +After cloning a repository with encrypted files, unlock with GPG: $ git-crypt unlock @@ -69,7 +70,7 @@ CURRENT STATUS -The latest version of git-crypt is 0.6.0, released on 2017-11-26. +The latest version of git-crypt is 0.7.0, released on 2022-04-21. git-crypt aims to be bug-free and reliable, meaning it shouldn't crash, malfunction, or expose your confidential data. However, it has not yet reached maturity, meaning it is not as documented, @@ -108,6 +109,16 @@ of a file, or the fact that two files are identical (see "Security" section above). +git-crypt does not support revoking access to an encrypted repository +which was previously granted. This applies to both multi-user GPG +mode (there's no del-gpg-user command to complement add-gpg-user) +and also symmetric key mode (there's no support for rotating the key). +This is because it is an inherently complex problem in the context +of historical data. For example, even if a key was rotated at one +point in history, a user having the previous key can still access +previous repository history. This problem is discussed in more detail in +<https://github.com/AGWA/git-crypt/issues/47>. + Files encrypted with git-crypt are not compressible. Even the smallest change to an encrypted file requires git to store the entire changed file, instead of just a delta. @@ -138,20 +149,12 @@ encrypt all files beneath it. Also note that the pattern `dir/*` does not match files under -sub-directories of dir/. To encrypt an entire sub-tree dir/, place the -following in dir/.gitattributes: - - * filter=git-crypt diff=git-crypt - .gitattributes !filter !diff +sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: -The second pattern is essential for ensuring that .gitattributes itself -is not encrypted. + dir/** filter=git-crypt diff=git-crypt +The .gitattributes file must not be encrypted, so make sure wildcards don't +match it accidentally. If necessary, you can exclude .gitattributes from +encryption like this: -MAILING LISTS - -To stay abreast of, and provide input to, git-crypt development, consider -subscribing to one or both of our mailing lists: - -Announcements: https://lists.cloudmutt.com/mailman/listinfo/git-crypt-announce -Discussion: https://lists.cloudmutt.com/mailman/listinfo/git-crypt-discuss + .gitattributes !filter !diff diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/README.md new/git-crypt-0.7.0/README.md --- old/git-crypt-0.6.0/README.md 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/README.md 2022-04-21 19:08:16.000000000 +0200 @@ -31,6 +31,7 @@ secretfile filter=git-crypt diff=git-crypt *.key filter=git-crypt diff=git-crypt + secretdir/** filter=git-crypt diff=git-crypt Like a .gitignore file, it can match wildcards and should be checked into the repository. See below for more information about .gitattributes. @@ -55,7 +56,7 @@ git-crypt export-key /path/to/key -After cloning a repository with encrypted files, unlock with with GPG: +After cloning a repository with encrypted files, unlock with GPG: git-crypt unlock @@ -70,8 +71,8 @@ Current Status -------------- -The latest version of git-crypt is [0.6.0](NEWS.md), released on -2017-11-26. git-crypt aims to be bug-free and reliable, meaning it +The latest version of git-crypt is [0.7.0](NEWS.md), released on +2022-04-21. git-crypt aims to be bug-free and reliable, meaning it shouldn't crash, malfunction, or expose your confidential data. However, it has not yet reached maturity, meaning it is not as documented, featureful, or easy-to-use as it should be. Additionally, @@ -110,6 +111,16 @@ of a file, or the fact that two files are identical (see "Security" section above). +git-crypt does not support revoking access to an encrypted repository +which was previously granted. This applies to both multi-user GPG +mode (there's no del-gpg-user command to complement add-gpg-user) +and also symmetric key mode (there's no support for rotating the key). +This is because it is an inherently complex problem in the context +of historical data. For example, even if a key was rotated at one +point in history, a user having the previous key can still access +previous repository history. This problem is discussed in more detail in +<https://github.com/AGWA/git-crypt/issues/47>. + Files encrypted with git-crypt are not compressible. Even the smallest change to an encrypted file requires git to store the entire changed file, instead of just a delta. @@ -140,20 +151,12 @@ encrypt all files beneath it. Also note that the pattern `dir/*` does not match files under -sub-directories of dir/. To encrypt an entire sub-tree dir/, place the -following in dir/.gitattributes: - - * filter=git-crypt diff=git-crypt - .gitattributes !filter !diff +sub-directories of dir/. To encrypt an entire sub-tree dir/, use `dir/**`: -The second pattern is essential for ensuring that .gitattributes itself -is not encrypted. + dir/** filter=git-crypt diff=git-crypt -Mailing Lists -------------- +The .gitattributes file must not be encrypted, so make sure wildcards don't +match it accidentally. If necessary, you can exclude .gitattributes from +encryption like this: -To stay abreast of, and provide input to, git-crypt development, -consider subscribing to one or both of our mailing lists: - -* [Announcements](https://lists.cloudmutt.com/mailman/listinfo/git-crypt-announce) -* [Discussion](https://lists.cloudmutt.com/mailman/listinfo/git-crypt-discuss) + .gitattributes !filter !diff diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/commands.cpp new/git-crypt-0.7.0/commands.cpp --- old/git-crypt-0.6.0/commands.cpp 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/commands.cpp 2022-04-21 19:08:16.000000000 +0200 @@ -51,6 +51,12 @@ #include <exception> #include <vector> +enum { + // # of arguments per git checkout call; must be large enough to be efficient but small + // enough to avoid operating system limits on argument length + GIT_CHECKOUT_BATCH_SIZE = 100 +}; + static std::string attribute_name (const char* key_name) { if (key_name) { @@ -183,15 +189,19 @@ } } -static bool git_checkout (const std::vector<std::string>& paths) +static bool git_checkout_batch (std::vector<std::string>::const_iterator paths_begin, std::vector<std::string>::const_iterator paths_end) { + if (paths_begin == paths_end) { + return true; + } + std::vector<std::string> command; command.push_back("git"); command.push_back("checkout"); command.push_back("--"); - for (std::vector<std::string>::const_iterator path(paths.begin()); path != paths.end(); ++path) { + for (auto path(paths_begin); path != paths_end; ++path) { command.push_back(*path); } @@ -202,6 +212,18 @@ return true; } +static bool git_checkout (const std::vector<std::string>& paths) +{ + auto paths_begin(paths.begin()); + while (paths.end() - paths_begin >= GIT_CHECKOUT_BATCH_SIZE) { + if (!git_checkout_batch(paths_begin, paths_begin + GIT_CHECKOUT_BATCH_SIZE)) { + return false; + } + paths_begin += GIT_CHECKOUT_BATCH_SIZE; + } + return git_checkout_batch(paths_begin, paths.end()); +} + static bool same_key_name (const char* a, const char* b) { return (!a && !b) || (a && b && std::strcmp(a, b) == 0); @@ -1171,7 +1193,7 @@ } if (!git_checkout(encrypted_files)) { std::clog << "Error: 'git checkout' failed" << std::endl; - std::clog << "git-crypt has been locked but up but existing decrypted files have not been encrypted" << std::endl; + std::clog << "git-crypt has been locked up but existing decrypted files have not been encrypted" << std::endl; return 1; } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/git-crypt.hpp new/git-crypt-0.7.0/git-crypt.hpp --- old/git-crypt-0.6.0/git-crypt.hpp 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/git-crypt.hpp 2022-04-21 19:08:16.000000000 +0200 @@ -31,7 +31,7 @@ #ifndef GIT_CRYPT_GIT_CRYPT_HPP #define GIT_CRYPT_GIT_CRYPT_HPP -#define VERSION "0.6.0" +#define VERSION "0.7.0" extern const char* argv0; // initialized in main() to argv[0] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/man/git-crypt.xml new/git-crypt-0.7.0/man/git-crypt.xml --- old/git-crypt-0.6.0/man/git-crypt.xml 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/man/git-crypt.xml 2022-04-21 19:08:16.000000000 +0200 @@ -7,8 +7,8 @@ --> <refentryinfo> <title>git-crypt</title> - <date>2017-11-26</date> - <productname>git-crypt 0.6.0</productname> + <date>2022-04-21</date> + <productname>git-crypt 0.7.0</productname> <author> <othername>Andrew Ayer</othername> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/git-crypt-0.6.0/parse_options.cpp new/git-crypt-0.7.0/parse_options.cpp --- old/git-crypt-0.6.0/parse_options.cpp 2017-11-26 19:24:03.000000000 +0100 +++ new/git-crypt-0.7.0/parse_options.cpp 2022-04-21 19:08:16.000000000 +0200 @@ -43,7 +43,7 @@ { int argi = 0; - while (argi < argc && argv[argi][0] == '-') { + while (argi < argc && argv[argi][0] == '-' && argv[argi][1] != '\0') { if (std::strcmp(argv[argi], "--") == 0) { ++argi; break;
