summaryrefslogtreecommitdiff
path: root/t
AgeCommit message (Collapse)AuthorFilesLines
2008-11-02close another possibility for propagating pack corruptionLibravatar Nicolas Pitre1-1/+2
Abstract -------- With index v2 we have a per object CRC to allow quick and safe reuse of pack data when repacking. This, however, doesn't currently prevent a stealth corruption from being propagated into a new pack when _not_ reusing pack data as demonstrated by the modification to t5302 included here. The Context ----------- The Git database is all checksummed with SHA1 hashes. Any kind of corruption can be confirmed by verifying this per object hash against corresponding data. However this can be costly to perform systematically and therefore this check is often not performed at run time when accessing the object database. First, the loose object format is entirely compressed with zlib which already provide a CRC verification of its own when inflating data. Any disk corruption would be caught already in this case. Then, packed objects are also compressed with zlib but only for their actual payload. The object headers and delta base references are not deflated for obvious performance reasons, however this leave them vulnerable to potentially undetected disk corruptions. Object types are often validated against the expected type when they're requested, and deflated size must always match the size recorded in the object header, so those cases are pretty much covered as well. Where corruptions could go unnoticed is in the delta base reference. Of course, in the OBJ_REF_DELTA case, the odds for a SHA1 reference to get corrupted so it actually matches the SHA1 of another object with the same size (the delta header stores the expected size of the base object to apply against) are virtually zero. In the OBJ_OFS_DELTA case, the reference is a pack offset which would have to match the start boundary of a different base object but still with the same size, and although this is relatively much more "probable" than in the OBJ_REF_DELTA case, the probability is also about zero in absolute terms. Still, the possibility exists as demonstrated in t5302 and is certainly greater than a SHA1 collision, especially in the OBJ_OFS_DELTA case which is now the default when repacking. Again, repacking by reusing existing pack data is OK since the per object CRC provided by index v2 guards against any such corruptions. What t5302 failed to test is a full repack in such case. The Solution ------------ As unlikely as this kind of stealth corruption can be in practice, it certainly isn't acceptable to propagate it into a freshly created pack. But, because this is so unlikely, we don't want to pay the run time cost associated with extra validation checks all the time either. Furthermore, consequences of such corruption in anything but repacking should be rather visible, and even if it could be quite unpleasant, it still has far less severe consequences than actively creating bad packs. So the best compromize is to check packed object CRC when unpacking objects, and only during the compression/writing phase of a repack, and only when not streaming the result. The cost of this is minimal (less than 1% CPU time), and visible only with a full repack. Someone with a stats background could provide an objective evaluation of this, but I suspect that it's bad RAM that has more potential for data corruptions at this point, even in those cases where this extra check is not performed. Still, it is best to prevent a known hole for corruption when recreating object data into a new pack. What about the streamed pack case? Well, any client receiving a pack must always consider that pack as untrusty and perform full validation anyway, hence no such stealth corruption could be propagated to remote repositoryes already. It is therefore worthless doing local validation in that case. Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-11-02Introduce receive.denyDeletesLibravatar Jan Krüger1-0/+11
Occasionally, it may be useful to prevent branches from getting deleted from a centralized repository, particularly when no administrative access to the server is available to undo it via reflog. It also makes receive.denyNonFastForwards more useful if it is used for access control since it prevents force-updating by deleting and re-creating a ref. Signed-off-by: Jan Krüger <jk@jk.gs> Acked-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-31Merge branch 'maint'Libravatar Junio C Hamano1-1/+1
* maint: git-svn: change dashed git-commit-tree to git commit-tree Documentation: clarify information about 'ident' attribute bash completion: add doubledash to "git show" Use test-chmtime -v instead of perl in t5000 to get mtime of a file Add --verbose|-v to test-chmtime asciidoc: add minor workaround to add an empty line after code blocks Plug a memleak in builtin-revert Add file delete/create info when we overflow rename_limit Install git-cvsserver in $(bindir) Install git-shell in bindir, too
2008-10-31Use test-chmtime -v instead of perl in t5000 to get mtime of a fileLibravatar Alex Riesen1-1/+1
The test was broken on admittedly broken combination of Windows, Cygwin, and ActiveState Perl. Signed-off-by: Alex Riesen <ariesen@harmanbecker.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-26Merge branch 'maint'Libravatar Junio C Hamano1-0/+21
* maint: add -p: warn if only binary changes present git-archive: work in bare repos git-svn: change dashed git-config to git config
2008-10-26git-archive: work in bare reposLibravatar Charles Bailey1-0/+21
This moves the call to git_config to a place where it doesn't break the logic for using git archive in a bare repository but retains the fix to make git archive respect core.autocrlf. Tests are by René Scharfe. Signed-off-by: Charles Bailey <charles@hashpling.org> Tested-by: Deskin Miller <deskinm@umich.edu> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-22git-remote: list branches in vertical listsLibravatar Johannes Sixt1-5/+9
Previously, branches were listed on a single line in each section. But if there are many branches, then horizontal, line-wrapped lists are very inconvenient to scan for a human. This makes the lists vertical, i.e one branch per line is printed. Since "git remote" is porcelain, we can easily make this backwards-incompatible change. Signed-off-by: Johannes Sixt <j6t@kdbg.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-22rm: loosen safety valve for empty filesLibravatar Jeff King1-0/+13
If a file is different between the working tree copy, the index, and the HEAD, then we do not allow it to be deleted without --force. However, this is overly tight in the face of "git add --intent-to-add": $ git add --intent-to-add file $ : oops, I don't actually want to stage that yet $ git rm --cached file error: 'empty' has staged content different from both the file and the HEAD (use -f to force removal) $ git rm -f --cached file Unfortunately, there is currently no way to distinguish between an empty file that has been added and an "intent to add" file. The ideal behavior would be to disallow the former while allowing the latter. This patch loosens the safety valve to allow the deletion only if we are deleting the cached entry and the cached content is empty. This covers the intent-to-add situation, and assumes there is little harm in not protecting users who have legitimately added an empty file. In many cases, the file will still be empty, in which case the safety valve does not trigger anyway (since the content remains untouched in the working tree). Otherwise, we do remove the fact that no content was staged, but given that the content is by definition empty, it is not terribly difficult for a user to recreate it. However, we still document the desired behavior in the form of two tests. One checks the correct removal of an intent-to-add file. The other checks that we still disallow removal of empty files, but is marked as expect_failure to indicate this compromise. If the intent-to-add feature is ever extended to differentiate between normal empty files and intent-to-add files, then the safety valve can be re-tightened. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-21Merge branch 'jk/diff-convfilter'Libravatar Junio C Hamano1-2/+2
* jk/diff-convfilter: diff: add filter for converting binary to text diff: introduce diff.<driver>.binary diff: unify external diff and funcname parsing code t4012: use test_cmp instead of cmp
2008-10-21Merge branch 'js/maint-fetch-update-head'Libravatar Junio C Hamano5-3/+27
* js/maint-fetch-update-head: pull: allow "git pull origin $something:$current_branch" into an unborn branch Fix fetch/pull when run without --update-head-ok Conflicts: t/t5510-fetch.sh
2008-10-21Merge branch 'jc/maint-co-track'Libravatar Junio C Hamano1-6/+20
* jc/maint-co-track: Enhance hold_lock_file_for_{update,append}() API demonstrate breakage of detached checkout with symbolic link HEAD Fix "checkout --track -b newbranch" on detached HEAD Conflicts: builtin-commit.c
2008-10-21Merge branch 'jk/fix-ls-files-other'Libravatar Junio C Hamano1-0/+6
* jk/fix-ls-files-other: refactor handling of "other" files in ls-files and status
2008-10-21Merge branch 'jc/maint-reset-remove-unmerged-new'Libravatar Junio C Hamano1-0/+60
* jc/maint-reset-remove-unmerged-new: reset --hard/read-tree --reset -u: remove unmerged new paths
2008-10-21Merge branch 'maint'Libravatar Junio C Hamano1-0/+10
* maint: GIT 1.6.0.3 rehabilitate 'git index-pack' inside the object store
2008-10-21rehabilitate 'git index-pack' inside the object storeLibravatar Nicolas Pitre1-0/+10
Before commit d0b92a3f6e it was possible to run 'git index-pack' directly in the .git/objects/pack/ directory. Restore that ability. Signed-off-by: Nicolas Pitre <nico@cam.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-20Merge branch 'maint'Libravatar Junio C Hamano1-4/+6
* maint: Fix testcase failure when extended attributes are in use
2008-10-19Fix testcase failure when extended attributes are in useLibravatar Junio C Hamano1-4/+6
06cbe855 (Make core.sharedRepository more generic, 2008-04-16) made several testcases in t1301-shared-repo.sh which fail if on a system which creates files with extended attributes (e.g. SELinux), since ls appends a '+' sign to the permission set in such cases. In fact, POSIX.1 allows ls to add a single printable character after the usual 3x3 permission bits to show that an optional alternate/additional access method is associated with the path. This fixes the testcase to strip any such sign prior to verifying the permission set. Signed-off-by: Junio C Hamano <gitster@pobox.com> Tested-by: Deskin Miller <deskinm@umich.edu>
2008-10-19Merge branch 'sh/maint-rebase3'Libravatar Junio C Hamano1-0/+139
* sh/maint-rebase3: rebase--interactive: fix parent rewriting for dropped commits
2008-10-19Merge branch 'mv/clonev'Libravatar Junio C Hamano1-0/+13
* mv/clonev: Implement git clone -v
2008-10-19Merge branch 'dp/checkattr'Libravatar Junio C Hamano1-0/+17
* dp/checkattr: git-check-attr(1): use 'verse' for multi-line synopsis sections check-attr: Add --stdin option check-attr: add an internal check_attr() function
2008-10-19Merge branch 'gb/formatpatch-autonbr'Libravatar Junio C Hamano12-24/+286
* gb/formatpatch-autonbr: format-patch: autonumber by default
2008-10-19Merge branch 'sp/describe-lwtag'Libravatar Junio C Hamano1-4/+4
* sp/describe-lwtag: describe: Make --tags and --all match lightweight tags more often
2008-10-19Merge branch 'ae/preservemerge'Libravatar Junio C Hamano1-0/+61
* ae/preservemerge: rebase: Support preserving merges in non-interactive mode
2008-10-19Merge branch 'mv/merge-noff'Libravatar Junio C Hamano1-0/+16
* mv/merge-noff: builtin-commit: use reduce_heads() only when appropriate Conflicts: builtin-commit.c t/t7600-merge.sh
2008-10-19Merge branch 'ns/rebase-noverify'Libravatar Junio C Hamano1-0/+16
* ns/rebase-noverify: rebase: Document --no-verify option to bypass pre-rebase hook rebase --no-verify
2008-10-19Enhance hold_lock_file_for_{update,append}() APILibravatar Junio C Hamano1-1/+1
This changes the "die_on_error" boolean parameter to a mere "flags", and changes the existing callers of hold_lock_file_for_update/append() functions to pass LOCK_DIE_ON_ERROR. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-19demonstrate breakage of detached checkout with symbolic link HEADLibravatar Junio C Hamano1-0/+12
When core.prefersymlinkrefs is in use, detaching the HEAD by checkout incorrectly clobbers the tip of the current branch. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-18reset --hard/read-tree --reset -u: remove unmerged new pathsLibravatar Junio C Hamano1-0/+60
When aborting a failed merge that has brought in a new path using "git reset --hard" or "git read-tree --reset -u", we used to first forget about the new path (via read_cache_unmerged) and then matched the working tree to what is recorded in the index, thus ending up leaving the new path in the work tree. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-18Merge branch 'db/maint-checkout-b' into maintLibravatar Junio C Hamano1-0/+10
* db/maint-checkout-b: Check early that a new branch is new and valid
2008-10-18t4012: use test_cmp instead of cmpLibravatar Jeff King1-2/+2
This makes erroneous output slightly easier to see. We also flip the argument order to match our usual style. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
2008-10-18format-patch: autonumber by defaultLibravatar Brian Gernhardt12-24/+286
format-patch is most commonly used for multiple patches at once when sending a patchset, in which case we want to number the patches; on the other hand, single patches are not usually expected to be numbered. In other words, the typical behavior expected from format-patch is the one obtained by enabling autonumber, so we set it to be the default. Users that want to disable numbering for a particular patchset can do so with the existing -N command-line switch. Users that want to change the default behavior can use the format.numbering config key. Signed-off-by: Brian Gernhardt <benji@silverinsanity.com> Test-updates-by: Jeff King <peff@peff.net> Signed-off-by: Shawn O. Pearce <spearce@spearce.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-17Fix "checkout --track -b newbranch" on detached HEADLibravatar Junio C Hamano1-6/+8
The test to make sure that checkout fails when --track was asked for and we cannot set up tracking information in t7201 was wrong, and it turns out that the implementation for that feature itself was buggy. This fixes it. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-17Merge branch 'jk/maint-ls-files-other' into jk/fix-ls-files-otherLibravatar Junio C Hamano1-0/+6
* jk/maint-ls-files-other: refactor handling of "other" files in ls-files and status Conflicts: read-cache.c
2008-10-17refactor handling of "other" files in ls-files and statusLibravatar Jeff King1-0/+6
When the "git status" display code was originally converted to C, we copied the code from ls-files to discover whether a pathname returned by read_directory was an "other", or untracked, file. Much later, 5698454e updated the code in ls-files to handle some new cases caused by gitlinks. This left the code in wt-status.c broken: it would display submodule directories as untracked directories. Nobody noticed until now, however, because unless status.showUntrackedFiles was set to "all", submodule directories were not actually reported by read_directory. So the bug was only triggered in the presence of a submodule _and_ this config option. This patch pulls the ls-files code into a new function, cache_name_is_other, and uses it in both places. This should leave the ls-files functionality the same and fix the bug in status. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-17describe: Make --tags and --all match lightweight tags more oftenLibravatar Shawn O. Pearce1-4/+4
If the caller supplies --tags they want the lightweight, unannotated tags to be searched for a match. If a lightweight tag is closer in the history, it should be matched, even if an annotated tag is reachable further back in the commit chain. The same applies with --all when matching any other type of ref. Signed-off-by: Shawn O. Pearce <spearce@spearce.org> Acked-By: Uwe Kleine-König <ukleinek@strlen.de> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-17tests: shell negation portability fixLibravatar Jeff King1-1/+1
Commit 969c8775 introduced a test which uses the non-portable construct: command1 && ! command2 | command3 which must be command1 && ! (command2 | command3) to work on bsd shells (this is another example of bbf08124, which fixed several similar cases). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-17pull: allow "git pull origin $something:$current_branch" into an unborn branchLibravatar Junio C Hamano1-0/+12
Some misguided documents floating on the Net suggest this sequence: mkdir newdir && cd newdir git init git remote add origin $url git pull origin master:master "git pull" has known about misguided "pull" that lets the underlying fetch update the current branch for a long time. It also has known about "git pull origin master" into a branch yet to be born. These two workarounds however were not aware of the existence of each other and did not work well together. This fixes it. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-17Merge branch 'maint'Libravatar Junio C Hamano3-1/+35
* maint: t1301-shared-repo.sh: don't let a default ACL interfere with the test git-check-attr(1): add output and example sections xdiff-interface.c: strip newline (and cr) from line before pattern matching t4018-diff-funcname: demonstrate end of line funcname matching flaw t4018-diff-funcname: rework negated last expression test Typo "does not exists" when git remote update remote. remote.c: correct the check for a leading '/' in a remote name Add testcase to ensure merging an early part of a branch is done properly Conflicts: t/t7600-merge.sh
2008-10-16t1301-shared-repo.sh: don't let a default ACL interfere with the testLibravatar Matt McCutchen1-0/+3
This test creates files with several different umasks and expects their permissions to be initialized according to the umask, so a default ACL on the trash directory (which overrides the umask for files created in that directory) causes the test to fail. To avoid that, remove the default ACL if possible with setfacl(1). Signed-off-by: Matt McCutchen <matt@mattmccutchen.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-16rebase--interactive: fix parent rewriting for dropped commitsLibravatar Stephen Haberman1-0/+139
`rebase -i -p` got its rev-list of commits to keep by --left-right and --cherry-pick. Adding --cherry-pick would drop commits that duplicated changes already in the rebase target. The dropped commits were then forgotten about when it came to rewriting the parents of their descendents, so the descendents would get cherry-picked with their old, unwritten parents and essentially make the rebase a no-op. This commit adds a $DOTEST/dropped directory to remember dropped commits and rewrite their children's parent as the dropped commit's possibly-rewritten first-parent. Signed-off-by: Stephen Haberman <stephen@exigencecorp.com> Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
2008-10-16xdiff-interface.c: strip newline (and cr) from line before pattern matchingLibravatar Brandon Casey1-1/+1
POSIX doth sayeth: "In the regular expression processing described in IEEE Std 1003.1-2001, the <newline> is regarded as an ordinary character and both a period and a non-matching list can match one. ... Those utilities (like grep) that do not allow <newline>s to match are responsible for eliminating any <newline> from strings before matching against the RE." Thus far git has not been removing the trailing newline from strings matched against regular expression patterns. This has the effect that (quoting Jonathan del Strother) "... a line containing just 'FUNCNAME' (terminated by a newline) will be matched by the pattern '^(FUNCNAME.$)' but not '^(FUNCNAME$)'", and more simply not '^FUNCNAME$'. Signed-off-by: Brandon Casey <casey@nrlssc.navy.mil> Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
2008-10-16t4018-diff-funcname: demonstrate end of line funcname matching flawLibravatar Brandon Casey1-0/+6
Since the newline is not removed from lines before pattern matching, a pattern cannot match to the end of the line using the '$' operator without using an additional operator which will indirectly match the '\n' character. Introduce a test which should pass, but which does not due to this flaw. Signed-off-by: Brandon Casey <drafnel@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-16t4018-diff-funcname: rework negated last expression testLibravatar Brandon Casey1-1/+2
This test used the non-zero exit status of 'git diff' to indicate that a negated funcname pattern, when placed last, was correctly rejected. The problem with this is that 'git diff' always returns non-zero if it finds differences in the files it is comparing, and the files must contain differences in order to trigger the funcname pattern codepath. Instead of checking for non-zero exit status, make sure the expected error message is printed. Signed-off-by: Brandon Casey <drafnel@gmail.com> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-14Add testcase to ensure merging an early part of a branch is done properlyLibravatar Miklos Vajna1-0/+26
Signed-off-by: Miklos Vajna <vmiklos@frugalware.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-14t4018-diff-funcname: add objective-c xfuncname pattern to syntax testLibravatar Brandon Casey1-1/+1
Signed-off-by: Brandon Casey <casey@nrlssc.navy.mil> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-13Fix fetch/pull when run without --update-head-okLibravatar Johannes Schindelin4-3/+15
Some confusing tutorials suggested that it would be a good idea to fetch into the current branch with something like this: git fetch origin master:master (or even worse: the same command line with "pull" instead of "fetch"). While it might make sense to store what you want to pull, it typically is plain wrong when the current branch is "master". This should only be allowed when (an incorrect) "git pull origin master:master" tries to work around by giving --update-head-ok to underlying "git fetch", and otherwise we should refuse it, but somewhere along the lines we lost that behavior. The check for the current branch is now _only_ performed in non-bare repositories, which is an improvement from the original behaviour. Some newer tests were depending on the broken behaviour of "git fetch" this patch fixes, and have been adjusted. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de> Acked-by: Shawn O. Pearce <spearce@spearce.org> Acked-by: Daniel Barkalow <barkalow@iabervon.org> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-13tests: shell negation portability fixLibravatar Jeff King1-1/+1
Commit 969c8775 introduced a test which uses the non-portable construct: command1 && ! command2 | command3 which must be command1 && ! (command2 | command3) to work on bsd shells (this is another example of bbf08124, which fixed several similar cases). Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
2008-10-12check-attr: Add --stdin optionLibravatar Dmitry Potapov1-0/+17
This allows multiple paths to be specified on stdin. Signed-off-by: Dmitry Potapov <dpotapov@gmail.com> Signed-off-by: Shawn O. Pearce <spearce@spearce.org>
2008-10-12Merge branch 'maint'Libravatar Shawn O. Pearce2-1/+53
* maint: test-lib: fix broken printf git apply --directory broken for new files
2008-10-12test-lib: fix broken printfLibravatar Shawn O. Pearce1-1/+1
b8eecafd888d219633f4c29e8b6a90fc21a46dfd introduced usage of printf without a format string. Signed-off-by: Shawn O. Pearce <spearce@spearce.org>