Your message dated Sat, 08 Feb 2020 14:21:36 +0000
with message-id
<cf1cb2f35981916a86b98b83609df15c95aa378b.ca...@adam-barratt.org.uk>
and subject line Closing requests included in 10.3 point release
has caused the Debian Bug report #948854,
regarding buster-pu: package git-lfs/2.7.1-1+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
948854: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=948854
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Hi,
git-lfs FTBFS in stretch since some security updates were applied to
golang-1.11. #940485
Let's cherry-pick the corresponding fix from sid.
The updated package is already uploaded.
Andreas
diff -Nru git-lfs-2.7.1/debian/changelog git-lfs-2.7.1/debian/changelog
--- git-lfs-2.7.1/debian/changelog 2019-02-27 06:33:53.000000000 +0100
+++ git-lfs-2.7.1/debian/changelog 2020-01-14 00:26:10.000000000 +0100
@@ -1,3 +1,13 @@
+git-lfs (2.7.1-1+deb10u1) buster; urgency=medium
+
+ * Non-maintainer upload.
+
+ [ Stephen Gelman ]
+ * Backport a fix from upstream that fixes FTBFS under Go 1.12.8, 1.11.13
+ (aka 1.11.6-1+deb10u1) (Closes: #940485)
+
+ -- Andreas Beckmann <[email protected]> Tue, 14 Jan 2020 00:26:10 +0100
+
git-lfs (2.7.1-1) unstable; urgency=medium
* New upstream release
diff -Nru git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch
git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch
--- git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch 1970-01-01
01:00:00.000000000 +0100
+++ git-lfs-2.7.1/debian/patches/0002-fix-url-parsing.patch 2020-01-14
00:26:10.000000000 +0100
@@ -0,0 +1,61 @@
+From f06492430e8f4a37136c746a29cffb7149beae08 Mon Sep 17 00:00:00 2001
+From: "brian m. carlson" <[email protected]>
+Date: Wed, 14 Aug 2019 14:49:48 +0000
+Subject: [PATCH] lfsapi: fix URL parsing with Go 1.12.8
+
+Go 1.12.8 introduces a security fix for parsing URLs that contain a
+colon followed by an invalid port number. Since our SSH remotes can
+contain just such a colon, our hack to make these into URLs no longer
+works.
+
+Fix this by replacing the first colon in these "URLs" with a slash,
+which is a path delimiter, which makes them parsable by newer versions
+of Go. Update the name of the function since it now does more than its
+previous name implies.
+---
+ lfsapi/auth.go | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/lfsapi/auth.go b/lfsapi/auth.go
+index 5a99a5b01..1de332e99 100644
+--- a/lfsapi/auth.go
++++ b/lfsapi/auth.go
+@@ -192,7 +192,7 @@ func getCredURLForAPI(ef EndpointFinder, operation, remote
string, apiEndpoint l
+
+ if len(remote) > 0 {
+ if u := ef.GitRemoteURL(remote, operation == "upload"); u != ""
{
+- schemedUrl, _ := prependEmptySchemeIfAbsent(u)
++ schemedUrl, _ := fixSchemelessURL(u)
+
+ gitRemoteURL, err := url.Parse(schemedUrl)
+ if err != nil {
+@@ -214,12 +214,13 @@ func getCredURLForAPI(ef EndpointFinder, operation,
remote string, apiEndpoint l
+ return apiURL, nil
+ }
+
+-// prependEmptySchemeIfAbsent prepends an empty scheme "//" if none was found
in
+-// the URL in order to satisfy RFC 3986 §3.3, and `net/url.Parse()`.
++// fixSchemelessURL prepends an empty scheme "//" if none was found in
++// the URL and replaces the first colon with a slash in order to satisfy RFC
++// 3986 §3.3, and `net/url.Parse()`.
+ //
+ // It returns a string parse-able with `net/url.Parse()` and a boolean whether
+ // or not an empty scheme was added.
+-func prependEmptySchemeIfAbsent(u string) (string, bool) {
++func fixSchemelessURL(u string) (string, bool) {
+ if hasScheme(u) {
+ return u, false
+ }
+@@ -231,7 +232,11 @@ func prependEmptySchemeIfAbsent(u string) (string, bool) {
+ // First path segment has a colon, assumed that it's a
+ // scheme-less URL. Append an empty scheme on top to
+ // satisfy RFC 3986 §3.3, and `net/url.Parse()`.
+- return fmt.Sprintf("//%s", u), true
++ //
++ // In addition, replace the first colon with a slash since
++ // otherwise the colon looks like it's introducing a port
++ // number.
++ return fmt.Sprintf("//%s", strings.Replace(u, ":", "/", 1)),
true
+ }
+ return u, true
+ }
diff -Nru git-lfs-2.7.1/debian/patches/series
git-lfs-2.7.1/debian/patches/series
--- git-lfs-2.7.1/debian/patches/series 1970-01-01 01:00:00.000000000 +0100
+++ git-lfs-2.7.1/debian/patches/series 2020-01-14 00:26:10.000000000 +0100
@@ -0,0 +1 @@
+0002-fix-url-parsing.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.3
Hi,
Each of the uploads referred to by these bugs was included in today's
stable point release.
Regards,
Adam
--- End Message ---
