diff -pruN 5.14.0-1/debian/changelog 5.16.2-1/debian/changelog --- 5.14.0-1/debian/changelog 2025-03-16 14:52:17.000000000 +0000 +++ 5.16.2-1/debian/changelog 2025-10-05 11:45:16.000000000 +0000 @@ -1,3 +1,17 @@ +golang-github-go-git-go-git (5.16.2-1) unstable; urgency=medium + + * Team upload. + * New upstream version. + * Add salsa-ci. + * Use watch v5. + * Drop Rules-Requires-Root: no. + * Run wrap-and-sort -akb. + * Add Static-Built-Using. + * Skip FTBFS'ing TestSendPackOnNonEmptyWithReportStatusWithError. + Closes: #1114132. + + -- Simon Josefsson Sun, 05 Oct 2025 13:45:16 +0200 + golang-github-go-git-go-git (5.14.0-1) unstable; urgency=medium * Team upload. diff -pruN 5.14.0-1/debian/control 5.16.2-1/debian/control --- 5.14.0-1/debian/control 2025-03-16 14:52:17.000000000 +0000 +++ 5.16.2-1/debian/control 2025-10-05 11:45:16.000000000 +0000 @@ -6,16 +6,19 @@ Testsuite: autopkgtest-pkg-go Priority: optional Build-Depends: debhelper-compat (= 13), dh-golang, + git, golang-any, golang-github-armon-go-socks5-dev , golang-github-elazarl-goproxy-dev , golang-github-emirpasic-gods-dev, golang-github-gliderlabs-ssh-dev , + golang-github-go-git-go-billy-dev (>= 5.5.0), + golang-github-go-git-go-git-fixtures-dev (>= 4.3.1~git20240304.46037e5) , golang-github-golang-groupcache-dev, golang-github-google-go-cmp-dev , - golang-github-go-git-go-billy-dev (>= 5.5.0), golang-github-imdario-mergo-dev, golang-github-jbenet-go-context-dev, + golang-github-jessevdk-go-flags-dev, golang-github-kevinburke-ssh-config-dev, golang-github-pjbgf-sha1cd-dev, golang-github-protonmail-go-crypto-dev, @@ -23,21 +26,17 @@ Build-Depends: debhelper-compat (= 13), golang-github-skeema-knownhosts-dev, golang-github-src-d-gcfg-dev, golang-github-xanzy-ssh-agent-dev, - golang-github-jessevdk-go-flags-dev, golang-golang-x-crypto-dev, golang-golang-x-net-dev, golang-golang-x-sys-dev, - golang-gopkg-check.v1-dev, golang-golang-x-text-dev , - golang-github-go-git-go-git-fixtures-dev (>= 4.3.1~git20240304.46037e5) , - git, + golang-gopkg-check.v1-dev, help2man , tzdata Standards-Version: 4.7.2 Vcs-Browser: https://salsa.debian.org/go-team/packages/golang-github-go-git-go-git Vcs-Git: https://salsa.debian.org/go-team/packages/golang-github-go-git-go-git.git Homepage: https://github.com/go-git/go-git -Rules-Requires-Root: no XS-Go-Import-Path: github.com/go-git/go-git Package: golang-github-go-git-go-git-dev @@ -45,10 +44,11 @@ Architecture: all Multi-Arch: foreign Breaks: gitsign (<< 0.12.0-4~) Depends: golang-github-emirpasic-gods-dev, - golang-github-golang-groupcache-dev, golang-github-go-git-go-billy-dev (>= 5.5.0), + golang-github-golang-groupcache-dev, golang-github-imdario-mergo-dev, golang-github-jbenet-go-context-dev, + golang-github-jessevdk-go-flags-dev, golang-github-kevinburke-ssh-config-dev, golang-github-pjbgf-sha1cd-dev, golang-github-protonmail-go-crypto-dev, @@ -56,7 +56,6 @@ Depends: golang-github-emirpasic-gods-de golang-github-skeema-knownhosts-dev, golang-github-src-d-gcfg-dev, golang-github-xanzy-ssh-agent-dev, - golang-github-jessevdk-go-flags-dev, golang-golang-x-crypto-dev, golang-golang-x-net-dev, golang-golang-x-sys-dev, @@ -72,8 +71,9 @@ Description: highly extensible Git imple Package: go-git Architecture: any Built-Using: ${misc:Built-Using} -Depends: ${shlibs:Depends}, - ${misc:Depends} +Static-Built-Using: ${misc:Static-Built-Using} +Depends: ${misc:Depends}, + ${shlibs:Depends} Description: highly extensible Git implementation in pure Go (command line) go-git is a highly extensible git implementation library written in pure Go. . diff -pruN 5.14.0-1/debian/patches/fix-ftbfs.patch 5.16.2-1/debian/patches/fix-ftbfs.patch --- 5.14.0-1/debian/patches/fix-ftbfs.patch 1970-01-01 00:00:00.000000000 +0000 +++ 5.16.2-1/debian/patches/fix-ftbfs.patch 2025-10-05 11:45:16.000000000 +0000 @@ -0,0 +1,23 @@ +Forwarded: https://github.com/go-git/go-git/issues/1681 +Last-Update: 2025-10-05 +From: Simon Josefsson +Subject: Fix FTBFS + +diff --git a/plumbing/transport/test/receive_pack.go b/plumbing/transport/test/receive_pack.go +index d4d2b107..08132d39 100644 +--- a/plumbing/transport/test/receive_pack.go ++++ b/plumbing/transport/test/receive_pack.go +@@ -206,11 +206,11 @@ func (s *ReceivePackSuite) TestSendPackOnNonEmptyWithReportStatusWithError(c *C) + report, err := s.receivePackNoCheck(c, endpoint, req, fixture, full) + //XXX: Recent git versions return "failed to update ref", while older + // (>=1.9) return "failed to lock". +- c.Assert(err, ErrorMatches, ".*(failed to update ref|failed to lock).*") ++ c.Assert(err, ErrorMatches, ".*(failed to update ref|failed to lock|reference already exists).*") + c.Assert(report.UnpackStatus, Equals, "ok") + c.Assert(len(report.CommandStatuses), Equals, 1) + c.Assert(report.CommandStatuses[0].ReferenceName, Equals, plumbing.ReferenceName("refs/heads/master")) +- c.Assert(report.CommandStatuses[0].Status, Matches, "(failed to update ref|failed to lock)") ++ c.Assert(report.CommandStatuses[0].Status, Matches, "(failed to update ref|failed to lock|reference already exists)") + s.checkRemoteHead(c, endpoint, plumbing.NewHash(fixture.Head)) + } + diff -pruN 5.14.0-1/debian/patches/series 5.16.2-1/debian/patches/series --- 5.14.0-1/debian/patches/series 2024-12-04 19:36:37.000000000 +0000 +++ 5.16.2-1/debian/patches/series 2025-10-05 11:45:16.000000000 +0000 @@ -1,3 +1,4 @@ use-another-gcfg.patch disable-test-with-unreliable-tilde-expansion.patch use-explicit-localhost-ip.patch +fix-ftbfs.patch diff -pruN 5.14.0-1/debian/salsa-ci.yml 5.16.2-1/debian/salsa-ci.yml --- 5.14.0-1/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ 5.16.2-1/debian/salsa-ci.yml 2025-10-05 11:45:16.000000000 +0000 @@ -0,0 +1,11 @@ +include: +- https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + SALSA_CI_AUTOPKGTEST_ALLOWED_EXIT_STATUS: '0' + SALSA_CI_DISABLE_APTLY: 0 + SALSA_CI_DISABLE_BUILD_REVERSE_DEPENDENCIES: 0 + SALSA_CI_DISABLE_LICENSERECON: 0 + SALSA_CI_ENABLE_WRAP_AND_SORT: 'true' + SALSA_CI_LINTIAN_FAIL_WARNING: '1' + SALSA_CI_WRAP_AND_SORT_ARGS: '-akb' diff -pruN 5.14.0-1/debian/watch 5.16.2-1/debian/watch --- 5.14.0-1/debian/watch 2024-12-04 19:36:37.000000000 +0000 +++ 5.16.2-1/debian/watch 2025-10-05 11:45:16.000000000 +0000 @@ -1,4 +1,4 @@ -version=4 -opts="filenamemangle=s%(?:.*?)?v?(\d[\d.]*)\.tar\.gz%@PACKAGE@-$1.tar.gz%,\ - uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/$1~$2$3/" \ - https://github.com/go-git/go-git/tags .*/v?(\d\S*)\.tar\.gz debian +Version: 5 +Template: Github +Owner: go-git +Project: go-git diff -pruN 5.14.0-1/go.mod 5.16.2-1/go.mod --- 5.14.0-1/go.mod 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/go.mod 2025-10-05 11:43:05.000000000 +0000 @@ -7,7 +7,7 @@ toolchain go1.23.6 require ( dario.cat/mergo v1.0.0 - github.com/ProtonMail/go-crypto v1.1.5 + github.com/ProtonMail/go-crypto v1.1.6 github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 github.com/elazarl/goproxy v1.7.2 github.com/emirpasic/gods v1.18.1 @@ -24,17 +24,17 @@ require ( github.com/skeema/knownhosts v1.3.1 github.com/stretchr/testify v1.10.0 github.com/xanzy/ssh-agent v0.3.3 - golang.org/x/crypto v0.35.0 - golang.org/x/net v0.35.0 - golang.org/x/sys v0.30.0 - golang.org/x/text v0.22.0 + golang.org/x/crypto v0.37.0 + golang.org/x/net v0.39.0 + golang.org/x/sys v0.32.0 + golang.org/x/text v0.24.0 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c ) require ( github.com/Microsoft/go-winio v0.6.2 // indirect github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be // indirect - github.com/cloudflare/circl v1.6.0 // indirect + github.com/cloudflare/circl v1.6.1 // indirect github.com/cyphar/filepath-securejoin v0.4.1 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/kr/pretty v0.3.1 // indirect diff -pruN 5.14.0-1/go.sum 5.16.2-1/go.sum --- 5.14.0-1/go.sum 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/go.sum 2025-10-05 11:43:05.000000000 +0000 @@ -3,14 +3,14 @@ dario.cat/mergo v1.0.0/go.mod h1:uNxQE+8 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY= github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY= github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU= -github.com/ProtonMail/go-crypto v1.1.5 h1:eoAQfK2dwL+tFSFpr7TbOaPNUbPiJj4fLYwwGE1FQO4= -github.com/ProtonMail/go-crypto v1.1.5/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= +github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw= +github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= -github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk= -github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= +github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0= +github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s= github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI= @@ -70,27 +70,27 @@ github.com/stretchr/testify v1.10.0/go.m github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM= github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw= golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= -golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs= -golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ= +golang.org/x/crypto v0.37.0 h1:kJNSjF/Xp7kU0iB2Z+9viTPMW4EqqsrywMXLJOOsXSE= +golang.org/x/crypto v0.37.0/go.mod h1:vg+k43peMZ0pUMhYmVAWysMK35e6ioLh3wB8ZCAfbVc= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 h1:2dVuKD2vS7b0QIHQbpyTISPd0LeHDbnYEryqj5Q1ug8= golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56/go.mod h1:M4RDyNAINzryxdtnbRXRL/OHtkFuWGRjvuhBJpk2IlY= golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= -golang.org/x/net v0.35.0 h1:T5GQRQb2y08kTAByq9L4/bz8cipCdA8FbRTXewonqY8= -golang.org/x/net v0.35.0/go.mod h1:EglIi67kWsHKlRzzVMUD93VMSWGFOMSZgxFjparz1Qk= +golang.org/x/net v0.39.0 h1:ZCu7HMWDxpXpaiKdhzIfaltL9Lp31x/3fCP11bc6/fY= +golang.org/x/net v0.39.0/go.mod h1:X7NRbYVEA+ewNkCNyJ513WmMdQ3BineSwVtN2zD/d+E= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc= -golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.32.0 h1:s77OFDvIQeibCmezSnk/q6iAfkdiQaJi4VzroCFrN20= +golang.org/x/sys v0.32.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= -golang.org/x/term v0.29.0 h1:L6pJp37ocefwRRtYPKSWOWzOtWSxVajvz2ldH/xi3iU= -golang.org/x/term v0.29.0/go.mod h1:6bl4lRlvVuDgSf3179VpIxBF0o10JUpXWOnI7nErv7s= +golang.org/x/term v0.31.0 h1:erwDkOK1Msy6offm1mOgvspSkslFnIGsFnxOKoufg3o= +golang.org/x/term v0.31.0/go.mod h1:R4BeIy7D95HzImkxGkTW1UQTtP54tio2RyHz7PwK0aw= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= -golang.org/x/text v0.22.0 h1:bofq7m3/HAFvbF51jz3Q9wLg3jkvSPuiZu/pD1XwgtM= -golang.org/x/text v0.22.0/go.mod h1:YRoo4H8PVmsu+E3Ou7cqLVH8oXWIHVoX0jqUWALQhfY= +golang.org/x/text v0.24.0 h1:dd5Bzh4yt5KYA8f9CJHCP4FB4D51c2c6JvN37xJJkJ0= +golang.org/x/text v0.24.0/go.mod h1:L8rBsPeo2pSS+xqN0d5u2ikmjtmoJbDBT1b7nHvFCdU= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff -pruN 5.14.0-1/options.go 5.16.2-1/options.go --- 5.14.0-1/options.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/options.go 2025-10-05 11:43:05.000000000 +0000 @@ -8,6 +8,7 @@ import ( "time" "github.com/ProtonMail/go-crypto/openpgp" + "github.com/go-git/go-git/v5/config" "github.com/go-git/go-git/v5/plumbing" formatcfg "github.com/go-git/go-git/v5/plumbing/format/config" @@ -72,9 +73,16 @@ type CloneOptions struct { // Tags describe how the tags will be fetched from the remote repository, // by default is AllTags. Tags TagMode - // InsecureSkipTLS skips ssl verify if protocol is https + // InsecureSkipTLS skips SSL verification if protocol is HTTPS. InsecureSkipTLS bool - // CABundle specify additional ca bundle with system cert pool + // ClientCert is the client certificate to use for mutual TLS authentication + // over the HTTPS protocol. + ClientCert []byte + // ClientKey is the client key to use for mutual TLS authentication over + // the HTTPS protocol. + ClientKey []byte + // CABundle specifies an additional CA bundle to use together with the + // system cert pool. CABundle []byte // ProxyOptions provides info required for connecting to a proxy. ProxyOptions transport.ProxyOptions @@ -153,9 +161,16 @@ type PullOptions struct { // Force allows the pull to update a local branch even when the remote // branch does not descend from it. Force bool - // InsecureSkipTLS skips ssl verify if protocol is https + // InsecureSkipTLS skips SSL verification if protocol is HTTPS. InsecureSkipTLS bool - // CABundle specify additional ca bundle with system cert pool + // ClientCert is the client certificate to use for mutual TLS authentication + // over the HTTPS protocol. + ClientCert []byte + // ClientKey is the client key to use for mutual TLS authentication over + // the HTTPS protocol. + ClientKey []byte + // CABundle specifies an additional CA bundle to use together with the + // system cert pool. CABundle []byte // ProxyOptions provides info required for connecting to a proxy. ProxyOptions transport.ProxyOptions @@ -211,9 +226,16 @@ type FetchOptions struct { // Force allows the fetch to update a local branch even when the remote // branch does not descend from it. Force bool - // InsecureSkipTLS skips ssl verify if protocol is https + // InsecureSkipTLS skips SSL verification if protocol is HTTPS. InsecureSkipTLS bool - // CABundle specify additional ca bundle with system cert pool + // ClientCert is the client certificate to use for mutual TLS authentication + // over the HTTPS protocol. + ClientCert []byte + // ClientKey is the client key to use for mutual TLS authentication over + // the HTTPS protocol. + ClientKey []byte + // CABundle specifies an additional CA bundle to use together with the + // system cert pool. CABundle []byte // ProxyOptions provides info required for connecting to a proxy. ProxyOptions transport.ProxyOptions @@ -267,9 +289,16 @@ type PushOptions struct { // Force allows the push to update a remote branch even when the local // branch does not descend from it. Force bool - // InsecureSkipTLS skips ssl verify if protocol is https + // InsecureSkipTLS skips SSL verification if protocol is HTTPS. InsecureSkipTLS bool - // CABundle specify additional ca bundle with system cert pool + // ClientCert is the client certificate to use for mutual TLS authentication + // over the HTTPS protocol. + ClientCert []byte + // ClientKey is the client key to use for mutual TLS authentication over + // the HTTPS protocol. + ClientKey []byte + // CABundle specifies an additional CA bundle to use together with the + // system cert pool. CABundle []byte // RequireRemoteRefs only allows a remote ref to be updated if its current // value is the one specified here. @@ -693,9 +722,16 @@ func (o *CreateTagOptions) loadConfigTag type ListOptions struct { // Auth credentials, if required, to use with the remote repository. Auth transport.AuthMethod - // InsecureSkipTLS skips ssl verify if protocol is https + // InsecureSkipTLS skips SSL verification if protocol is HTTPS. InsecureSkipTLS bool - // CABundle specify additional ca bundle with system cert pool + // ClientCert is the client certificate to use for mutual TLS authentication + // over the HTTPS protocol. + ClientCert []byte + // ClientKey is the client key to use for mutual TLS authentication over + // the HTTPS protocol. + ClientKey []byte + // CABundle specifies an additional CA bundle to use together with the + // system cert pool. CABundle []byte // PeelingOption defines how peeled objects are handled during a // remote list. diff -pruN 5.14.0-1/plumbing/transport/common.go 5.16.2-1/plumbing/transport/common.go --- 5.14.0-1/plumbing/transport/common.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/plumbing/transport/common.go 2025-10-05 11:43:05.000000000 +0000 @@ -113,9 +113,17 @@ type Endpoint struct { Port int // Path is the repository path. Path string - // InsecureSkipTLS skips ssl verify if protocol is https + // InsecureSkipTLS skips SSL verification if Protocol is HTTPS. InsecureSkipTLS bool - // CaBundle specify additional ca bundle with system cert pool + // ClientCert specifies an optional client certificate to use for mutual + // TLS authentication if Protocol is HTTPS. + ClientCert []byte + // ClientKey specifies an optional client key to use for mutual TLS + // authentication if Protocol is HTTPS. + ClientKey []byte + // CaBundle specifies an optional CA bundle to use for SSL verification + // if Protocol is HTTPS. The bundle is added in addition to the system + // CA bundle. CaBundle []byte // Proxy provides info required for connecting to a proxy. Proxy ProxyOptions diff -pruN 5.14.0-1/plumbing/transport/http/common.go 5.16.2-1/plumbing/transport/http/common.go --- 5.14.0-1/plumbing/transport/http/common.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/plumbing/transport/http/common.go 2025-10-05 11:43:05.000000000 +0000 @@ -15,12 +15,13 @@ import ( "strings" "sync" + "github.com/golang/groupcache/lru" + "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/protocol/packp" "github.com/go-git/go-git/v5/plumbing/protocol/packp/capability" "github.com/go-git/go-git/v5/plumbing/transport" "github.com/go-git/go-git/v5/utils/ioutil" - "github.com/golang/groupcache/lru" ) // it requires a bytes.Buffer, because we need to know the length @@ -185,6 +186,18 @@ func transportWithInsecureTLS(transport transport.TLSClientConfig.InsecureSkipVerify = true } +func transportWithClientCert(transport *http.Transport, cert, key []byte) error { + keyPair, err := tls.X509KeyPair(cert, key) + if err != nil { + return err + } + if transport.TLSClientConfig == nil { + transport.TLSClientConfig = &tls.Config{} + } + transport.TLSClientConfig.Certificates = []tls.Certificate{keyPair} + return nil +} + func transportWithCABundle(transport *http.Transport, caBundle []byte) error { rootCAs, err := x509.SystemCertPool() if err != nil { @@ -206,6 +219,11 @@ func transportWithProxy(transport *http. } func configureTransport(transport *http.Transport, ep *transport.Endpoint) error { + if len(ep.ClientCert) > 0 && len(ep.ClientKey) > 0 { + if err := transportWithClientCert(transport, ep.ClientCert, ep.ClientKey); err != nil { + return err + } + } if len(ep.CaBundle) > 0 { if err := transportWithCABundle(transport, ep.CaBundle); err != nil { return err @@ -230,7 +248,7 @@ func newSession(c *client, ep *transport // We need to configure the http transport if there are transport specific // options present in the endpoint. - if len(ep.CaBundle) > 0 || ep.InsecureSkipTLS || ep.Proxy.URL != "" { + if len(ep.ClientKey) > 0 || len(ep.ClientCert) > 0 || len(ep.CaBundle) > 0 || ep.InsecureSkipTLS || ep.Proxy.URL != "" { var transport *http.Transport // if the client wasn't configured to have a cache for transports then just configure // the transport and use it directly, otherwise try to use the cache. @@ -242,9 +260,13 @@ func newSession(c *client, ep *transport } transport = tr.Clone() - configureTransport(transport, ep) + if err := configureTransport(transport, ep); err != nil { + return nil, err + } } else { transportOpts := transportOptions{ + clientCert: string(ep.ClientCert), + clientKey: string(ep.ClientKey), caBundle: string(ep.CaBundle), insecureSkipTLS: ep.InsecureSkipTLS, } @@ -260,7 +282,9 @@ func newSession(c *client, ep *transport if !found { transport = c.client.Transport.(*http.Transport).Clone() - configureTransport(transport, ep) + if err := configureTransport(transport, ep); err != nil { + return nil, err + } c.addTransport(transportOpts, transport) } } diff -pruN 5.14.0-1/plumbing/transport/http/common_test.go 5.16.2-1/plumbing/transport/http/common_test.go --- 5.14.0-1/plumbing/transport/http/common_test.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/plumbing/transport/http/common_test.go 2025-10-05 11:43:05.000000000 +0000 @@ -111,12 +111,12 @@ func (s *ClientSuite) TestNewUnexpectedE func (s *ClientSuite) Test_newSession(c *C) { cl := NewClientWithOptions(nil, &ClientOptions{ - CacheMaxEntries: 2, + CacheMaxEntries: 3, }).(*client) - insecureEP := s.Endpoint + insecureEP := *s.Endpoint insecureEP.InsecureSkipTLS = true - session, err := newSession(cl, insecureEP, nil) + session, err := newSession(cl, &insecureEP, nil) c.Assert(err, IsNil) sessionTransport := session.client.Transport.(*http.Transport) @@ -131,7 +131,7 @@ func (s *ClientSuite) Test_newSession(c caEndpoint := insecureEP caEndpoint.CaBundle = []byte("this is the way") - session, err = newSession(cl, caEndpoint, nil) + session, err = newSession(cl, &caEndpoint, nil) c.Assert(err, IsNil) sessionTransport = session.client.Transport.(*http.Transport) @@ -146,7 +146,7 @@ func (s *ClientSuite) Test_newSession(c // cached transport should be the one that's used. c.Assert(sessionTransport, Equals, t) - session, err = newSession(cl, caEndpoint, nil) + session, err = newSession(cl, &caEndpoint, nil) c.Assert(err, IsNil) sessionTransport = session.client.Transport.(*http.Transport) // transport that's going to be used should be cached already. @@ -156,7 +156,7 @@ func (s *ClientSuite) Test_newSession(c // if the cache does not exist, the transport should still be correctly configured. cl.transports = nil - session, err = newSession(cl, insecureEP, nil) + session, err = newSession(cl, &insecureEP, nil) c.Assert(err, IsNil) sessionTransport = session.client.Transport.(*http.Transport) diff -pruN 5.14.0-1/plumbing/transport/http/transport.go 5.16.2-1/plumbing/transport/http/transport.go --- 5.14.0-1/plumbing/transport/http/transport.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/plumbing/transport/http/transport.go 2025-10-05 11:43:05.000000000 +0000 @@ -9,8 +9,10 @@ import ( type transportOptions struct { insecureSkipTLS bool // []byte is not comparable. - caBundle string - proxyURL url.URL + clientCert string + clientKey string + caBundle string + proxyURL url.URL } func (c *client) addTransport(opts transportOptions, transport *http.Transport) { diff -pruN 5.14.0-1/plumbing/transport/ssh/auth_method.go 5.16.2-1/plumbing/transport/ssh/auth_method.go --- 5.14.0-1/plumbing/transport/ssh/auth_method.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/plumbing/transport/ssh/auth_method.go 2025-10-05 11:43:05.000000000 +0000 @@ -54,7 +54,7 @@ func (a *KeyboardInteractive) String() s } func (a *KeyboardInteractive) ClientConfig() (*ssh.ClientConfig, error) { - return a.SetHostKeyCallback(&ssh.ClientConfig{ + return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{ User: a.User, Auth: []ssh.AuthMethod{ a.Challenge, @@ -78,7 +78,7 @@ func (a *Password) String() string { } func (a *Password) ClientConfig() (*ssh.ClientConfig, error) { - return a.SetHostKeyCallback(&ssh.ClientConfig{ + return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{ User: a.User, Auth: []ssh.AuthMethod{ssh.Password(a.Password)}, }) @@ -101,7 +101,7 @@ func (a *PasswordCallback) String() stri } func (a *PasswordCallback) ClientConfig() (*ssh.ClientConfig, error) { - return a.SetHostKeyCallback(&ssh.ClientConfig{ + return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{ User: a.User, Auth: []ssh.AuthMethod{ssh.PasswordCallback(a.Callback)}, }) @@ -150,7 +150,7 @@ func (a *PublicKeys) String() string { } func (a *PublicKeys) ClientConfig() (*ssh.ClientConfig, error) { - return a.SetHostKeyCallback(&ssh.ClientConfig{ + return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{ User: a.User, Auth: []ssh.AuthMethod{ssh.PublicKeys(a.Signer)}, }) @@ -211,7 +211,7 @@ func (a *PublicKeysCallback) String() st } func (a *PublicKeysCallback) ClientConfig() (*ssh.ClientConfig, error) { - return a.SetHostKeyCallback(&ssh.ClientConfig{ + return a.SetHostKeyCallbackAndAlgorithms(&ssh.ClientConfig{ User: a.User, Auth: []ssh.AuthMethod{ssh.PublicKeysCallback(a.Callback)}, }) @@ -230,11 +230,26 @@ func (a *PublicKeysCallback) ClientConfi // ~/.ssh/known_hosts // /etc/ssh/ssh_known_hosts func NewKnownHostsCallback(files ...string) (ssh.HostKeyCallback, error) { - kh, err := newKnownHosts(files...) - return ssh.HostKeyCallback(kh), err + kh, err := NewKnownHostsDb(files...) + if err != nil { + return nil, err + } + return kh.HostKeyCallback(), nil } -func newKnownHosts(files ...string) (knownhosts.HostKeyCallback, error) { +// NewKnownHostsDb returns knownhosts.HostKeyDB based on a file based on a +// known_hosts file. http://man.openbsd.org/sshd#SSH_KNOWN_HOSTS_FILE_FORMAT +// +// If list of files is empty, then it will be read from the SSH_KNOWN_HOSTS +// environment variable, example: +// +// /home/foo/custom_known_hosts_file:/etc/custom_known/hosts_file +// +// If SSH_KNOWN_HOSTS is not set the following file locations will be used: +// +// ~/.ssh/known_hosts +// /etc/ssh/ssh_known_hosts +func NewKnownHostsDb(files ...string) (*knownhosts.HostKeyDB, error) { var err error if len(files) == 0 { @@ -247,7 +262,7 @@ func newKnownHosts(files ...string) (kno return nil, err } - return knownhosts.New(files...) + return knownhosts.NewDB(files...) } func getDefaultKnownHostsFiles() ([]string, error) { @@ -289,25 +304,50 @@ func filterKnownHostsFiles(files ...stri } // HostKeyCallbackHelper is a helper that provides common functionality to -// configure HostKeyCallback into a ssh.ClientConfig. +// configure HostKeyCallback and HostKeyAlgorithms into a ssh.ClientConfig. type HostKeyCallbackHelper struct { // HostKeyCallback is the function type used for verifying server keys. - // If nil default callback will be create using NewKnownHostsCallback + // If nil, a default callback will be created using NewKnownHostsDb // without argument. HostKeyCallback ssh.HostKeyCallback + + // HostKeyAlgorithms is a list of supported host key algorithms that will + // be used for host key verification. + HostKeyAlgorithms []string + + // fallback allows for injecting the fallback call, which is called + // when a HostKeyCallback is not set. + fallback func(files ...string) (ssh.HostKeyCallback, error) } -// SetHostKeyCallback sets the field HostKeyCallback in the given cfg. If -// HostKeyCallback is empty a default callback is created using -// NewKnownHostsCallback. -func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) { - var err error +// SetHostKeyCallbackAndAlgorithms sets the field HostKeyCallback and HostKeyAlgorithms in the given cfg. +// If the host key callback or algorithms is empty it is left empty. It will be handled by the dial method, +// falling back to knownhosts. +func (m *HostKeyCallbackHelper) SetHostKeyCallbackAndAlgorithms(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) { + if cfg == nil { + cfg = &ssh.ClientConfig{} + } + if m.HostKeyCallback == nil { - if m.HostKeyCallback, err = NewKnownHostsCallback(); err != nil { - return cfg, err + if m.fallback == nil { + m.fallback = NewKnownHostsCallback } + + hkcb, err := m.fallback() + if err != nil { + return nil, fmt.Errorf("cannot create known hosts callback: %w", err) + } + + cfg.HostKeyCallback = hkcb + cfg.HostKeyAlgorithms = m.HostKeyAlgorithms + return cfg, err } cfg.HostKeyCallback = m.HostKeyCallback + cfg.HostKeyAlgorithms = m.HostKeyAlgorithms return cfg, nil } + +func (m *HostKeyCallbackHelper) SetHostKeyCallback(cfg *ssh.ClientConfig) (*ssh.ClientConfig, error) { + return m.SetHostKeyCallbackAndAlgorithms(cfg) +} diff -pruN 5.14.0-1/plumbing/transport/ssh/auth_method_test.go 5.16.2-1/plumbing/transport/ssh/auth_method_test.go --- 5.14.0-1/plumbing/transport/ssh/auth_method_test.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/plumbing/transport/ssh/auth_method_test.go 2025-10-05 11:43:05.000000000 +0000 @@ -4,11 +4,16 @@ import ( "bufio" "fmt" "os" + "reflect" "runtime" + "slices" "strings" + "testing" "github.com/go-git/go-billy/v5/osfs" "github.com/go-git/go-billy/v5/util" + "github.com/stretchr/testify/assert" + "github.com/stretchr/testify/require" "golang.org/x/crypto/ssh" "golang.org/x/crypto/ssh/testdata" @@ -18,7 +23,8 @@ import ( type ( SuiteCommon struct{} - mockKnownHosts struct{} + mockKnownHosts struct{} + mockKnownHostsWithCert struct{} ) func (mockKnownHosts) host() string { return "github.com" } @@ -27,6 +33,19 @@ func (mockKnownHosts) knownHosts() []byt } func (mockKnownHosts) Network() string { return "tcp" } func (mockKnownHosts) String() string { return "github.com:22" } +func (mockKnownHosts) Algorithms() []string { + return []string{ssh.KeyAlgoRSA, ssh.KeyAlgoRSASHA256, ssh.KeyAlgoRSASHA512} +} + +func (mockKnownHostsWithCert) host() string { return "github.com" } +func (mockKnownHostsWithCert) knownHosts() []byte { + return []byte(`@cert-authority github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ==`) +} +func (mockKnownHostsWithCert) Network() string { return "tcp" } +func (mockKnownHostsWithCert) String() string { return "github.com:22" } +func (mockKnownHostsWithCert) Algorithms() []string { + return []string{ssh.CertAlgoRSASHA512v01, ssh.CertAlgoRSASHA256v01, ssh.CertAlgoRSAv01} +} var _ = Suite(&SuiteCommon{}) @@ -230,3 +249,172 @@ func (*SuiteCommon) TestNewKnownHostsCal err = clb(mock.String(), mock, hostKey) c.Assert(err, IsNil) } + +func (*SuiteCommon) TestNewKnownHostsDbWithoutCert(c *C) { + if runtime.GOOS == "js" { + c.Skip("not available in wasm") + } + + var mock = mockKnownHosts{} + + f, err := util.TempFile(osfs.Default, "", "known-hosts") + c.Assert(err, IsNil) + + _, err = f.Write(mock.knownHosts()) + c.Assert(err, IsNil) + + err = f.Close() + c.Assert(err, IsNil) + + defer util.RemoveAll(osfs.Default, f.Name()) + + f, err = osfs.Default.Open(f.Name()) + c.Assert(err, IsNil) + + defer f.Close() + + db, err := NewKnownHostsDb(f.Name()) + c.Assert(err, IsNil) + + algos := db.HostKeyAlgorithms(mock.String()) + c.Assert(algos, HasLen, len(mock.Algorithms())) + + for _, algorithm := range mock.Algorithms() { + if !slices.Contains(algos, algorithm) { + c.Error("algos does not contain ", algorithm) + } + } +} + +func (*SuiteCommon) TestNewKnownHostsDbWithCert(c *C) { + if runtime.GOOS == "js" { + c.Skip("not available in wasm") + } + + var mock = mockKnownHostsWithCert{} + + f, err := util.TempFile(osfs.Default, "", "known-hosts") + c.Assert(err, IsNil) + + _, err = f.Write(mock.knownHosts()) + c.Assert(err, IsNil) + + err = f.Close() + c.Assert(err, IsNil) + + defer util.RemoveAll(osfs.Default, f.Name()) + + f, err = osfs.Default.Open(f.Name()) + c.Assert(err, IsNil) + + defer f.Close() + + db, err := NewKnownHostsDb(f.Name()) + c.Assert(err, IsNil) + + algos := db.HostKeyAlgorithms(mock.String()) + c.Assert(algos, HasLen, len(mock.Algorithms())) + + for _, algorithm := range mock.Algorithms() { + if !slices.Contains(algos, algorithm) { + c.Error("algos does not contain ", algorithm) + } + } +} + +func TestHostKeyCallbackHelper(t *testing.T) { + cb1 := ssh.FixedHostKey(nil) + tests := []struct { + name string + cb ssh.HostKeyCallback + algos []string + fallback func(files ...string) (ssh.HostKeyCallback, error) + cc *ssh.ClientConfig + want *ssh.ClientConfig + wantErr string + }{ + { + name: "keep existing callback if set", + cb: cb1, + cc: &ssh.ClientConfig{}, + want: &ssh.ClientConfig{ + HostKeyCallback: cb1, + }, + }, + { + name: "create new client config is one isn't provided", + cb: cb1, + cc: nil, + want: &ssh.ClientConfig{ + HostKeyCallback: cb1, + }, + }, + { + name: "respect pre-set algos", + cb: cb1, + algos: []string{"foo"}, + cc: &ssh.ClientConfig{}, + want: &ssh.ClientConfig{ + HostKeyCallback: cb1, + HostKeyAlgorithms: []string{"foo"}, + }, + }, + { + name: "no callback is set, call fallback", + cc: &ssh.ClientConfig{}, + fallback: func(files ...string) (ssh.HostKeyCallback, error) { + return cb1, nil + }, + want: &ssh.ClientConfig{ + HostKeyCallback: cb1, + }, + }, + { + name: "no callback is set with nil client config", + fallback: func(files ...string) (ssh.HostKeyCallback, error) { + return cb1, nil + }, + want: &ssh.ClientConfig{ + HostKeyCallback: cb1, + }, + }, + { + name: "algos with no callback, call fallback", + algos: []string{"bar"}, + cc: &ssh.ClientConfig{}, + fallback: func(files ...string) (ssh.HostKeyCallback, error) { + return cb1, nil + }, + want: &ssh.ClientConfig{ + HostKeyCallback: cb1, + HostKeyAlgorithms: []string{"bar"}, + }, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + helper := HostKeyCallbackHelper{ + HostKeyCallback: tc.cb, + HostKeyAlgorithms: tc.algos, + fallback: tc.fallback, + } + + got, gotErr := helper.SetHostKeyCallback(tc.cc) + + if tc.wantErr == "" { + require.NoError(t, gotErr) + require.NotNil(t, got) + + wantFunc := runtime.FuncForPC(reflect.ValueOf(tc.want.HostKeyCallback).Pointer()).Name() + gotFunc := runtime.FuncForPC(reflect.ValueOf(got.HostKeyCallback).Pointer()).Name() + assert.Equal(t, wantFunc, gotFunc) + + assert.Equal(t, tc.want.HostKeyAlgorithms, got.HostKeyAlgorithms) + } else { + assert.ErrorContains(t, gotErr, tc.wantErr) + assert.Nil(t, got) + } + }) + } +} diff -pruN 5.14.0-1/plumbing/transport/ssh/common.go 5.16.2-1/plumbing/transport/ssh/common.go --- 5.14.0-1/plumbing/transport/ssh/common.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/plumbing/transport/ssh/common.go 2025-10-05 11:43:05.000000000 +0000 @@ -11,7 +11,6 @@ import ( "github.com/go-git/go-git/v5/plumbing/transport" "github.com/go-git/go-git/v5/plumbing/transport/internal/common" - "github.com/skeema/knownhosts" "github.com/kevinburke/ssh_config" "golang.org/x/crypto/ssh" @@ -127,17 +126,17 @@ func (c *command) connect() error { } hostWithPort := c.getHostWithPort() if config.HostKeyCallback == nil { - kh, err := newKnownHosts() + db, err := NewKnownHostsDb() if err != nil { return err } - config.HostKeyCallback = kh.HostKeyCallback() - config.HostKeyAlgorithms = kh.HostKeyAlgorithms(hostWithPort) - } else if len(config.HostKeyAlgorithms) == 0 { - // Set the HostKeyAlgorithms based on HostKeyCallback. - // For background see https://github.com/go-git/go-git/issues/411 as well as - // https://github.com/golang/go/issues/29286 for root cause. - config.HostKeyAlgorithms = knownhosts.HostKeyAlgorithms(config.HostKeyCallback, hostWithPort) + config.HostKeyCallback = db.HostKeyCallback() + config.HostKeyAlgorithms = db.HostKeyAlgorithms(hostWithPort) + } else { + // If the user gave a custom HostKeyCallback, we do not try to detect host key algorithms + // based on knownhosts functionality, as the user may be requesting a FixedKey or using a + // different key approval strategy. In that case, the user is responsible for populating + // HostKeyAlgorithms appropriately } overrideConfig(c.config, config) diff -pruN 5.14.0-1/plumbing/transport/ssh/common_test.go 5.16.2-1/plumbing/transport/ssh/common_test.go --- 5.14.0-1/plumbing/transport/ssh/common_test.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/plumbing/transport/ssh/common_test.go 2025-10-05 11:43:05.000000000 +0000 @@ -129,12 +129,35 @@ func (s *SuiteCommon) TestFixedHostKeyCa c.Assert(err, IsNil) c.Assert(auth, NotNil) auth.HostKeyCallback = stdssh.FixedHostKey(hostKey.PublicKey()) + auth.HostKeyAlgorithms = []string{"ssh-ed25519"} ep := uploadPack.newEndpoint(c, "bar.git") ps, err := uploadPack.Client.NewUploadPackSession(ep, auth) c.Assert(err, IsNil) c.Assert(ps, NotNil) } +func (s *SuiteCommon) TestFixedHostKeyCallbackUnexpectedAlgorithm(c *C) { + hostKey, err := stdssh.ParsePrivateKey(testdata.PEMBytes["ed25519"]) + c.Assert(err, IsNil) + uploadPack := &UploadPackSuite{ + opts: []ssh.Option{ + ssh.HostKeyPEM(testdata.PEMBytes["rsa"]), + }, + } + uploadPack.SetUpSuite(c) + // Use the default client, which does not have a host key callback + uploadPack.Client = DefaultClient + auth, err := NewPublicKeys("foo", testdata.PEMBytes["rsa"], "") + c.Assert(err, IsNil) + c.Assert(auth, NotNil) + auth.HostKeyCallback = stdssh.FixedHostKey(hostKey.PublicKey()) + auth.HostKeyAlgorithms = []string{"ssh-ed25519"} + ep := uploadPack.newEndpoint(c, "bar.git") + ps, err := uploadPack.Client.NewUploadPackSession(ep, auth) + c.Assert(err, NotNil) + c.Assert(ps, IsNil) +} + func (s *SuiteCommon) TestFailHostKeyCallback(c *C) { uploadPack := &UploadPackSuite{ opts: []ssh.Option{ diff -pruN 5.14.0-1/remote.go 5.16.2-1/remote.go --- 5.14.0-1/remote.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/remote.go 2025-10-05 11:43:05.000000000 +0000 @@ -114,7 +114,7 @@ func (r *Remote) PushContext(ctx context o.RemoteURL = r.c.URLs[len(r.c.URLs)-1] } - s, err := newSendPackSession(o.RemoteURL, o.Auth, o.InsecureSkipTLS, o.CABundle, o.ProxyOptions) + s, err := newSendPackSession(o.RemoteURL, o.Auth, o.InsecureSkipTLS, o.ClientCert, o.ClientKey, o.CABundle, o.ProxyOptions) if err != nil { return err } @@ -416,7 +416,7 @@ func (r *Remote) fetch(ctx context.Conte o.RemoteURL = r.c.URLs[0] } - s, err := newUploadPackSession(o.RemoteURL, o.Auth, o.InsecureSkipTLS, o.CABundle, o.ProxyOptions) + s, err := newUploadPackSession(o.RemoteURL, o.Auth, o.InsecureSkipTLS, o.ClientCert, o.ClientKey, o.CABundle, o.ProxyOptions) if err != nil { return nil, err } @@ -532,8 +532,8 @@ func depthChanged(before []plumbing.Hash return false, nil } -func newUploadPackSession(url string, auth transport.AuthMethod, insecure bool, cabundle []byte, proxyOpts transport.ProxyOptions) (transport.UploadPackSession, error) { - c, ep, err := newClient(url, insecure, cabundle, proxyOpts) +func newUploadPackSession(url string, auth transport.AuthMethod, insecure bool, clientCert, clientKey, caBundle []byte, proxyOpts transport.ProxyOptions) (transport.UploadPackSession, error) { + c, ep, err := newClient(url, insecure, clientCert, clientKey, caBundle, proxyOpts) if err != nil { return nil, err } @@ -541,8 +541,8 @@ func newUploadPackSession(url string, au return c.NewUploadPackSession(ep, auth) } -func newSendPackSession(url string, auth transport.AuthMethod, insecure bool, cabundle []byte, proxyOpts transport.ProxyOptions) (transport.ReceivePackSession, error) { - c, ep, err := newClient(url, insecure, cabundle, proxyOpts) +func newSendPackSession(url string, auth transport.AuthMethod, insecure bool, clientCert, clientKey, caBundle []byte, proxyOpts transport.ProxyOptions) (transport.ReceivePackSession, error) { + c, ep, err := newClient(url, insecure, clientCert, clientKey, caBundle, proxyOpts) if err != nil { return nil, err } @@ -550,13 +550,15 @@ func newSendPackSession(url string, auth return c.NewReceivePackSession(ep, auth) } -func newClient(url string, insecure bool, cabundle []byte, proxyOpts transport.ProxyOptions) (transport.Transport, *transport.Endpoint, error) { +func newClient(url string, insecure bool, clientCert, clientKey, caBundle []byte, proxyOpts transport.ProxyOptions) (transport.Transport, *transport.Endpoint, error) { ep, err := transport.NewEndpoint(url) if err != nil { return nil, nil, err } ep.InsecureSkipTLS = insecure - ep.CaBundle = cabundle + ep.ClientCert = clientCert + ep.ClientKey = clientKey + ep.CaBundle = caBundle ep.Proxy = proxyOpts c, err := client.NewClient(ep) @@ -1356,7 +1358,7 @@ func (r *Remote) list(ctx context.Contex return nil, ErrEmptyUrls } - s, err := newUploadPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.CABundle, o.ProxyOptions) + s, err := newUploadPackSession(r.c.URLs[0], o.Auth, o.InsecureSkipTLS, o.ClientCert, o.ClientKey, o.CABundle, o.ProxyOptions) if err != nil { return nil, err } diff -pruN 5.14.0-1/repository.go 5.16.2-1/repository.go --- 5.14.0-1/repository.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/repository.go 2025-10-05 11:43:05.000000000 +0000 @@ -19,6 +19,7 @@ import ( "github.com/go-git/go-billy/v5" "github.com/go-git/go-billy/v5/osfs" "github.com/go-git/go-billy/v5/util" + "github.com/go-git/go-git/v5/config" "github.com/go-git/go-git/v5/internal/path_util" "github.com/go-git/go-git/v5/internal/revision" @@ -930,6 +931,8 @@ func (r *Repository) clone(ctx context.C Tags: o.Tags, RemoteName: o.RemoteName, InsecureSkipTLS: o.InsecureSkipTLS, + ClientCert: o.ClientCert, + ClientKey: o.ClientKey, CABundle: o.CABundle, ProxyOptions: o.ProxyOptions, }, o.ReferenceName) diff -pruN 5.14.0-1/utils/merkletrie/change.go 5.16.2-1/utils/merkletrie/change.go --- 5.14.0-1/utils/merkletrie/change.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/utils/merkletrie/change.go 2025-10-05 11:43:05.000000000 +0000 @@ -131,7 +131,9 @@ func (l *Changes) addRecursive(root node } if !root.IsDir() { - l.Add(ctor(root)) + if !root.Skip() { + l.Add(ctor(root)) + } return nil } @@ -148,7 +150,7 @@ func (l *Changes) addRecursive(root node } return err } - if current.IsDir() { + if current.IsDir() || current.Skip() { continue } l.Add(ctor(current)) diff -pruN 5.14.0-1/utils/merkletrie/difftree.go 5.16.2-1/utils/merkletrie/difftree.go --- 5.14.0-1/utils/merkletrie/difftree.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/utils/merkletrie/difftree.go 2025-10-05 11:43:05.000000000 +0000 @@ -297,18 +297,16 @@ func DiffTreeContext(ctx context.Context case noMoreNoders: return ret, nil case onlyFromRemains: - if err = ret.AddRecursiveDelete(from); err != nil { - return nil, err + if !from.Skip() { + if err = ret.AddRecursiveDelete(from); err != nil { + return nil, err + } } if err = ii.nextFrom(); err != nil { return nil, err } case onlyToRemains: - if to.Skip() { - if err = ret.AddRecursiveDelete(to); err != nil { - return nil, err - } - } else { + if !to.Skip() { if err = ret.AddRecursiveInsert(to); err != nil { return nil, err } @@ -317,26 +315,25 @@ func DiffTreeContext(ctx context.Context return nil, err } case bothHaveNodes: - if from.Skip() { - if err = ret.AddRecursiveDelete(from); err != nil { - return nil, err - } - if err := ii.nextBoth(); err != nil { - return nil, err - } - break - } - if to.Skip() { - if err = ret.AddRecursiveDelete(to); err != nil { - return nil, err - } - if err := ii.nextBoth(); err != nil { - return nil, err + var err error + switch { + case from.Skip(): + if from.Name() == to.Name() { + err = ii.nextBoth() + } else { + err = ii.nextFrom() + } + case to.Skip(): + if from.Name() == to.Name() { + err = ii.nextBoth() + } else { + err = ii.nextTo() } - break + default: + err = diffNodes(&ret, ii) } - if err = diffNodes(&ret, ii); err != nil { + if err != nil { return nil, err } default: diff -pruN 5.14.0-1/utils/merkletrie/index/node.go 5.16.2-1/utils/merkletrie/index/node.go --- 5.14.0-1/utils/merkletrie/index/node.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/utils/merkletrie/index/node.go 2025-10-05 11:43:05.000000000 +0000 @@ -36,7 +36,15 @@ func NewRootNode(idx *index.Index) noder parent := fullpath fullpath = path.Join(fullpath, part) - if _, ok := m[fullpath]; ok { + // It's possible that the first occurrence of subdirectory is skipped. + // The parent node can be created with SkipWorktree set to true, but + // if any future children do not skip their subtree, the entire lineage + // of the tree needs to have this value set to false so that subdirectories + // are not ignored. + if parentNode, ok := m[fullpath]; ok { + if e.SkipWorktree == false { + parentNode.skip = false + } continue } diff -pruN 5.14.0-1/utils/merkletrie/index/node_test.go 5.16.2-1/utils/merkletrie/index/node_test.go --- 5.14.0-1/utils/merkletrie/index/node_test.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/utils/merkletrie/index/node_test.go 2025-10-05 11:43:05.000000000 +0000 @@ -2,7 +2,7 @@ package index import ( "bytes" - "path/filepath" + "path" "testing" "github.com/go-git/go-git/v5/plumbing" @@ -46,14 +46,14 @@ func (s *NoderSuite) TestDiff(c *C) { func (s *NoderSuite) TestDiffChange(c *C) { indexA := &index.Index{ Entries: []*index.Entry{{ - Name: filepath.Join("bar", "baz", "bar"), + Name: path.Join("bar", "baz", "bar"), Hash: plumbing.NewHash("8ab686eafeb1f44702738c8b0f24f2567c36da6d"), }}, } indexB := &index.Index{ Entries: []*index.Entry{{ - Name: filepath.Join("bar", "baz", "foo"), + Name: path.Join("bar", "baz", "foo"), Hash: plumbing.NewHash("8ab686eafeb1f44702738c8b0f24f2567c36da6d"), }}, } @@ -63,6 +63,32 @@ func (s *NoderSuite) TestDiffChange(c *C c.Assert(ch, HasLen, 2) } +func (s *NoderSuite) TestDiffSkipIssue1455(c *C) { + indexA := &index.Index{ + Entries: []*index.Entry{ + { + Name: path.Join("bar", "baz", "bar"), + Hash: plumbing.NewHash("8ab686eafeb1f44702738c8b0f24f2567c36da6d"), + SkipWorktree: true, + }, + { + Name: path.Join("bar", "biz", "bat"), + Hash: plumbing.NewHash("8ab686eafeb1f44702738c8b0f24f2567c36da6d"), + SkipWorktree: false, + }, + }, + } + + indexB := &index.Index{} + + ch, err := merkletrie.DiffTree(NewRootNode(indexB), NewRootNode(indexA), isEquals) + c.Assert(err, IsNil) + c.Assert(ch, HasLen, 1) + a, err := ch[0].Action() + c.Assert(err, IsNil) + c.Assert(a, Equals, merkletrie.Insert) +} + func (s *NoderSuite) TestDiffDir(c *C) { indexA := &index.Index{ Entries: []*index.Entry{{ @@ -73,7 +99,7 @@ func (s *NoderSuite) TestDiffDir(c *C) { indexB := &index.Index{ Entries: []*index.Entry{{ - Name: filepath.Join("foo", "bar"), + Name: path.Join("foo", "bar"), Hash: plumbing.NewHash("8ab686eafeb1f44702738c8b0f24f2567c36da6d"), }}, } diff -pruN 5.14.0-1/worktree.go 5.16.2-1/worktree.go --- 5.14.0-1/worktree.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/worktree.go 2025-10-05 11:43:05.000000000 +0000 @@ -12,6 +12,7 @@ import ( "github.com/go-git/go-billy/v5" "github.com/go-git/go-billy/v5/util" + "github.com/go-git/go-git/v5/config" "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/filemode" @@ -79,6 +80,8 @@ func (w *Worktree) PullContext(ctx conte Progress: o.Progress, Force: o.Force, InsecureSkipTLS: o.InsecureSkipTLS, + ClientCert: o.ClientCert, + ClientKey: o.ClientKey, CABundle: o.CABundle, ProxyOptions: o.ProxyOptions, }) diff -pruN 5.14.0-1/worktree_test.go 5.16.2-1/worktree_test.go --- 5.14.0-1/worktree_test.go 2025-02-27 13:12:35.000000000 +0000 +++ 5.16.2-1/worktree_test.go 2025-10-05 11:43:05.000000000 +0000 @@ -1359,7 +1359,24 @@ func (s *WorktreeSuite) TestStatusAfterC status, err := w.Status() c.Assert(err, IsNil) c.Assert(status.IsClean(), Equals, true) +} + +func (s *WorktreeSuite) TestStatusAfterSparseCheckout(c *C) { + fs := memfs.New() + w := &Worktree{ + r: s.Repository, + Filesystem: fs, + } + + err := w.Checkout(&CheckoutOptions{ + SparseCheckoutDirectories: []string{"php"}, + Force: true, + }) + c.Assert(err, IsNil) + status, err := w.Status() + c.Assert(err, IsNil) + c.Assert(status.IsClean(), Equals, true) } func (s *WorktreeSuite) TestStatusModified(c *C) {