This version is not yet released. However given that python2 will soon
go end-of-life (without security updates), this seems like a good move.
The package was also lacking proper qt wrapping and unusable before.
https://about.gitlab.com/blog/2019/12/10/critical-security-release-gitlab-12-5-4-released/
Insufficient parameter sanitization for Maven package registry could lead to privilege escalation and remote code execution vulnerabilities under certain conditions. The issue is now mitigated in the latest release and is assigned CVE-2019-19628.
When transferring a public project to a private group, private code would be disclosed via the Group Search API provided by Elasticsearch integration. The issue is now mitigated in the latest release and is assigned CVE-2019-19629.
The Git dependency has been upgraded to 2.22.2 in order to apply security fixes detailed here.
CVE-2019-19604 was identified by the GitLab Security Research team. For more information on that issue, please visit the GitLab Security Research Advisory
closes#75506.
Since bash-completion rules are loaded dynamically, the completion
rules for `gitk <Tab>` waere not being loaded until the user first
typed `git <Tab>`. Fix this by adding a symlink named `gitk`.
Signed-off-by: Anders Kaseorg <andersk@mit.edu>
* yadm: add missing dependencies (#73615)
* yadm: replace buildCommand with installPhase
This let the fixup phase compress man pages and patch shebangs
When perlSupport = false, we will set NO_PERL=1, and build Git without
Perl support. This is a build option that Git supports. However, Git's
test suite still requires a Perl to be available to run the tests, and
we did not provide one. The tests respect PERL_PATH, and if it is not
set, they default to /usr/bin/perl.
Before this commit, if we set "perlSupport = false", then no Perl would
be available to the package, and so the tests would default to
/usr/bin/perl. When building without a sandbox, that could still work,
even though there is no "perl" on the path, because the tests defaulted
to an absolute path.
You can reproduce this issue as follows:
nix-build -E 'let pkgs = (import ./default.nix) {}; in pkgs.git.override { perlSupport = false; }'
I just ran into this when trying to build pkgs.git from an old version
of Nixpkgs that I was able to build just fine in the past, and today it
would not build any more, complaining when running the tests:
make -C t/ all
make[1]: Entering directory '/build/git-2.18.0/t'
rm -f -r 'test-results'
/nix/store/czx8vkrb9jdgjyz8qfksh10vrnqa723l-bash-4.4-p23/bin/bash: /usr/bin/perl: No such file or directory
In the past the sandbox was not enabled by default, so then it worked
for me. But now that it is enabled, my host's (not NixOS) /usr/bin/perl
is no longer accessible, and the build fails.
The solution is to explicitly set PERL_PATH when running the tests. This
*almost* works, except that there appears to be a bug in the test for
"git request-pull". That command is a Bash script that calls Perl at
some point, so it requires Perl, and therefore it cannot be supported
when NO_PERL=1. But that particular test does not check whether Git was
compiled with Perl support (other tests do include that check), and that
makes the test fail:
t5150-request-pull.sh ..............................
not ok 4 - pull request after push
not ok 5 - request asks HEAD to be pulled
not ok 6 - pull request format
not ok 7 - request-pull ignores OPTIONS_KEEPDASHDASH poison
not ok 9 - pull request with mismatched object
not ok 10 - pull request with stale object
Dubious, test returned 1 (wstat 256, 0x100)
Failed 6/10 subtests
This output makes sense if you look at t5150-request-pull.sh. Test 1 and
2 are setup steps. Test 3 does call request-pull, but it expects the
command to fail, and it cannot distinguish between the command exiting
with a nonzero exit code, or failing to start it at all. So test 3
passes for the wrong reasons. Test 4 through 10 all call request-pull,
so they fail.
The quick workaround here is to disable the test. I will look into
upstreaming a patch that makes the test skip itself when Perl is
disabled.
The tests for null patterns where changed in 25754125cef278c7e9492fbd6dc4a28319b01f18,
it's possible utf-8 normalisation is causing different behaviour here.
not ok 54 - LC_ALL='C' git grep -P -f f -i 'Æ<NUL>[Ð]' a
not ok 57 - LC_ALL='C' git grep -P -f f -i '[Æ]<NUL>Ð' a
not ok 60 - LC_ALL='C' git grep -P -f f -i '[Æ]<NUL>ð' a
not ok 63 - LC_ALL='C' git grep -P -f f -i 'Æ<NUL>Ð' a
Dubious, test returned 1 (wstat 256, 0x100)
Failed 4/145 subtests
(less 48 skipped subtests: 93 okay)
Hydra fails to build the assets on i686 - it runs out of memory. If we
limit the max consumption to 2048MB the assets still build, and will
hopefully also build on hydra.
For some reason hydra seems to have issues downloading the
gitlab-workhorse source on macOS. Since we don't build the rails app
for macOS, the other components seem a bit useless there, so we
limit them to linux for now.