-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bump git2 to 0.15 and libgit2-sys to 0.14 #11004
Conversation
This will allow cargo to avoid vendored builds of git2 in up-to-date environments going forward, and brings in the [libgit2 1.4.4 CVE fix]. [libgit2 1.4.4 CVE fix]: https://github.com/libgit2/libgit2/releases/tag/v1.4.4
r? @weihanglo (rust-highfive has picked a reviewer for you, use r? to override) |
I think to move forward with this cargo will need to call |
Ah, yes, I remember from the discussion in rust-lang/rfcs#3279. Will update! |
One issue with setting that is that it's a global property. Which means that if someone has a project that uses |
There's |
Having now dug through the libgit2 PR that introduced the ownership check, libgit2/libgit2#6266, I don't see a way around this. Either we have to disable the check globally in something like |
I was thinking it can be called from |
We could do that, although it would mean that anyone using Cargo as a library would need to know to explicitly call that method themselves too. We could perhaps add a method like |
One option might be to set the ceiling directories, which can be done per open, but as far as I can tell from the implementation that doesn't actually bypass the check either? |
This sounds lovely to me. And I believe people will eventually find it. As Cargo lib users, they must be accustomed to breakages between versions sometimes. (Sorry about that 😅) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am going to merge this. Thanks for the pull request.
If @ehuss or anyone still concerns with this, feel free to comment.
@bors r+ |
I feel like this worth mentioning in release note, at least for library user? |
☀️ Test successful - checks-actions |
5 commits in 6da726708a4406f31f996d813790818dce837161..4ed54cecce3ce9ab6ff058781f4c8a500ee6b8b5 2022-08-23 21:39:56 +0000 to 2022-08-27 18:41:39 +0000 - doc: pause, for readability (rust-lang/cargo#11027) - Bump git2 to 0.15 and libgit2-sys to 0.14 (rust-lang/cargo#11004) - Fix typo (rust-lang/cargo#11025) - Update cargo-toml-vs-cargo-lock.md (rust-lang/cargo#11021) - Apply GitHub fast path even for partial hashes (rust-lang/cargo#10807)
…acrum Update cargo 5 commits in 6da726708a4406f31f996d813790818dce837161..4ed54cecce3ce9ab6ff058781f4c8a500ee6b8b5 2022-08-23 21:39:56 +0000 to 2022-08-27 18:41:39 +0000 - doc: pause, for readability (rust-lang/cargo#11027) - Bump git2 to 0.15 and libgit2-sys to 0.14 (rust-lang/cargo#11004) - Fix typo (rust-lang/cargo#11025) - Update cargo-toml-vs-cargo-lock.md (rust-lang/cargo#11021) - Apply GitHub fast path even for partial hashes (rust-lang/cargo#10807)
I agree this should be mentioned in relnotes! |
fwiw, I always include libgit2 bumps in the Cargo changelog. But I don't think this needs to be in the Rust release notes, does it? Are you concerned that third-party packages that link to the cargo API might run into problems here? |
Oh, sorry, I thought I will point out that this bump means that |
Ah. Ok, I'll untag the relnotes. That label is only for RELEASES.md. |
Oh, it was already removed. I was confused. 😄 |
Update cargo 5 commits in 6da726708a4406f31f996d813790818dce837161..4ed54cecce3ce9ab6ff058781f4c8a500ee6b8b5 2022-08-23 21:39:56 +0000 to 2022-08-27 18:41:39 +0000 - doc: pause, for readability (rust-lang/cargo#11027) - Bump git2 to 0.15 and libgit2-sys to 0.14 (rust-lang/cargo#11004) - Fix typo (rust-lang/cargo#11025) - Update cargo-toml-vs-cargo-lock.md (rust-lang/cargo#11021) - Apply GitHub fast path even for partial hashes (rust-lang/cargo#10807)
Update cargo 5 commits in 6da726708a4406f31f996d813790818dce837161..4ed54cecce3ce9ab6ff058781f4c8a500ee6b8b5 2022-08-23 21:39:56 +0000 to 2022-08-27 18:41:39 +0000 - doc: pause, for readability (rust-lang/cargo#11027) - Bump git2 to 0.15 and libgit2-sys to 0.14 (rust-lang/cargo#11004) - Fix typo (rust-lang/cargo#11025) - Update cargo-toml-vs-cargo-lock.md (rust-lang/cargo#11021) - Apply GitHub fast path even for partial hashes (rust-lang/cargo#10807)
This will allow cargo to avoid vendored builds of git2 in up-to-date
environments going forward, and brings in the libgit2 1.4.4 CVE fix.