CHANGELOG.md 40.6 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
v0.26.7
-------

This is a security release fixing the following list of issues:

- Submodule URLs and paths with a leading "-" are now ignored.
  This is due to the recently discovered CVE-2018-17456, which
  can lead to arbitrary code execution in upstream git. While
  libgit2 itself is not vulnerable, it can be used to inject
  options in an implementation which performs a recursive clone
  by executing an external command.

- When running repack while doing repo writes,
  `packfile_load__cb()` could see some temporary files in the
  directory that were bigger than the usual, and makes `memcmp`
  overflow on the `p->pack_name` string. This issue was reported
  and fixed by bisho.

- The configuration file parser used unbounded recursion to parse
  multiline variables, which could lead to a stack overflow. The
  issue was reported by the oss-fuzz project, issue 10048 and
  fixed by Nelson Elhage.

- The fix to the unbounded recursion introduced a memory leak in
  the config parser. While this leak was never in a public
  release, the oss-fuzz project reported this as issue 10127. The
  fix was implemented by Nelson Elhage and Patrick Steinhardt.

- When parsing "ok" packets received via the smart protocol, our
  parsing code did not correctly verify the bounds of the
  packets, which could result in a heap-buffer overflow. The
  issue was reported by the oss-fuzz project, issue 9749 and
  fixed by Patrick Steinhardt.

- The parsing code for the smart protocol has been tightened in
  general, fixing heap-buffer overflows when parsing the packet
  type as well as for "ACK" and "unpack" packets. The issue was
  discovered and fixed by Patrick Steinhardt.

- Fixed potential integer overflows on platforms with 16 bit
  integers when parsing packets for the smart protocol. The issue
  was discovered and fixed by Patrick Steinhardt.

- Fixed potential NULL pointer dereference when parsing
  configuration files which have "include.path" statements
  without a value.

48 49 50 51 52 53 54 55 56 57 58 59 60 61 62
v0.26.6
-------

This is a security release fixing out-of-bounds reads when
processing smart-protocol "ng" packets.

When parsing an "ng" packet, we keep track of both the current position
as well as the remaining length of the packet itself. But instead of
taking care not to exceed the length, we pass the current pointer's
position to `strchr`, which will search for a certain character until
hitting NUL. It is thus possible to create a crafted packet which
doesn't contain a NUL byte to trigger an out-of-bounds read.

The issue was discovered by the oss-fuzz project, issue 9406.

63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85
v0.26.5
-------

This is a security release fixing out-of-bounds reads when
reading objects from a packfile. This corresponds to
CVE-2018-10887 and CVE-2018-10888, which were both reported by
Riccardo Schirone.

When packing objects into a single so-called packfile, objects
may not get stored as complete copies but instead as deltas
against another object "base". A specially crafted delta object
could trigger an integer overflow and thus bypass our input
validation, which may result in copying memory before or after
the base object into the final deflated object. This may lead to
objects containing copies of system memory being written into the
object database. As the hash of those objects cannot be easily
controlled by the attacker, it is unlikely that any of those
objects will be valid and referenced by the commit graph.

Note that the error could also be triggered by the function
`git_apply__patch`. But as this function is not in use outside of
our test suite, it is not a possible attack vector.

86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105
v0.26.4
-------

This is a security release fixing insufficient validation of submodule names
(CVE-2018-11235, reported by Etienne Stalmans) and disallows `.gitmodules` files
as symlinks.

While submodule names come from the untrusted ".gitmodules" file, we blindly
append the name to "$GIT_DIR/modules" to construct the final path of the
submodule repository. In case the name contains e.g. "../", an adversary would
be able to escape your repository and write data at arbitrary paths. In
accordance with git, we now enforce some rules for submodule names which will
cause libgit2 to ignore these malicious names.

Adding a symlink as `.gitmodules` into the index from the workdir or checking
out such files is not allowed as this can make a Git implementation write
outside of the repository and bypass the `fsck` checks for CVE-2018-11235.

libgit2 is not susceptible to CVE-2018-11233.

106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130
v0.26.3
-------

This is a bugfix release. It includes the following non-exclusive list of
improvements, which have been backported from the master branch:

* Fix cloning of the libgit2 project with `git clone --recursive` by removing an
  invalid submodule from our testing data.

* Fix endianness of the port in `p_getaddrinfo()`.

* Fix handling of negative gitignore rules with wildcards.

* Fix handling of case-insensitive negative gitignore rules.

* Fix resolving references to a tag if the reference is stored with its fully
  resolved OID in the packed-refs file.

* Fix checkout not treating worktree files as modified when only their mode has
  changed.

* Fix rename detection with `GIT_DIFF_FIND_RENAMES_FROM_REWRITES`.

* Enable Windows 7 and earlier to use TLS 1.2.

131 132 133 134 135 136 137 138 139 140
v0.26.2
-------

This is a security release fixing memory handling issues when reading crafted
repository index files. The issues allow for possible denial of service due to
allocation of large memory and out-of-bound reads.

As the index is never transferred via the network, exploitation requires an
attacker to have access to the local repository.

141
v0.26.1
142 143
---------

144 145
This is a security release fixing the following CVEs in the bundled zlib
library:
146

147 148 149 150
* CVE-2016-9843
* CVE-2016-9841
* CVE-2016-9842
* CVE-2016-9840
151

152 153
All users compiling libgit2 with the bundled zlib instead of using the
system-provided zlib must upgrade.
154 155 156

v0.26
-----
157 158 159

### Changes or improvements

160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180
* Support for opening, creating and modifying worktrees.

* We can now detect SHA1 collisions resulting from the SHAttered attack. These
  checks can be enabled at build time via `-DUSE_SHA1DC`.

* Fix for missing implementation of `git_merge_driver_source` getters.

* Fix for installed pkg-config file being broken when the prefix contains
  spaces.

* We now detect when the hashsum of on-disk objects does not match their
  expected hashsum.

* We now support open-ended ranges (e.g. "master..", "...master") in our
  revision range parsing code.

* We now correctly compute ignores with leading "/" in subdirectories.

* We now optionally call `fsync` on loose objects, packfiles and their indexes,
  loose references and packed reference files.

181
* We can now build against OpenSSL v1.1 and against LibreSSL.
182

183 184 185 186
* `GIT_MERGE_OPTIONS_INIT` now includes a setting to perform rename detection.
  This aligns this structure with the default by `git_merge` and
  `git_merge_trees` when `NULL` was provided for the options.

187 188 189 190 191
* Improvements for reading index v4 files.

* Perform additional retries for filesystem operations on Windows when files
  are temporarily locked by other processes.

192 193
### API additions

194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234
* New family of functions to handle worktrees:

    * `git_worktree_list()` lets you look up worktrees for a repository.
    * `git_worktree_lookup()` lets you get a specific worktree.
    * `git_worktree_open_from_repository()` lets you get the associated worktree
      of a repository.
      a worktree.
    * `git_worktree_add` lets you create new worktrees.
    * `git_worktree_prune` lets you remove worktrees from disk.
    * `git_worktree_lock()` and `git_worktree_unlock()` let you lock
      respectively unlock a worktree.
    * `git_repository_open_from_worktree()` lets you open a repository via
    * `git_repository_head_for_worktree()` lets you get the current `HEAD` for a
      linked worktree.
    * `git_repository_head_detached_for_worktree()` lets you check whether a
      linked worktree is in detached HEAD mode.

* `git_repository_item_path()` lets you retrieve paths for various repository
  files.

* `git_repository_commondir()` lets you retrieve the common directory of a
  repository.

* `git_branch_is_checked_out()` allows you to check whether a branch is checked
  out in a repository or any of its worktrees.

* `git_repository_submodule_cache_all()` and
  `git_repository_submodule_cache_clear()` functions allow you to prime or clear
  the submodule cache of a repository.

* You can disable strict hash verifications via the
  `GIT_OPT_ENABLE_STRICT_HASH_VERIFICATION` option with `git_libgit2_opts()`.

* You can enable us calling `fsync` for various files inside the ".git"
  directory by setting the `GIT_OPT_ENABLE_FSYNC_GITDIR` option with
  `git_libgit2_opts()`.

* You can now enable "offset deltas" when creating packfiles and negotiating
  packfiles with a remote server by setting `GIT_OPT_ENABLE_OFS_DELTA` option
  with `GIT_libgit2_opts()`.

235 236 237 238
* You can now set the default share mode on Windows for opening files using
  `GIT_OPT_SET_WINDOWS_SHAREMODE` option with `git_libgit2_opts()`.
  You can query the current share mode with `GIT_OPT_GET_WINDOWS_SHAREMODE`.

239 240 241
* `git_transport_smart_proxy_options()' enables you to get the proxy options for
  smart transports.

242 243 244
* The `GIT_FILTER_INIT` macro and the `git_filter_init` function are provided
  to initialize a `git_filter` structure.

245 246
### Breaking API changes

247 248 249 250
* `clone_checkout_strategy` has been removed from
  `git_submodule_update_option`. The checkout strategy used to clone will
  be the same strategy specified in `checkout_opts`.

251
v0.25
252 253 254 255
-------

### Changes or improvements

256 257 258 259 260 261 262
* Fix repository discovery with `git_repository_discover` and
  `git_repository_open_ext` to match git's handling of a ceiling
  directory at the current directory. git only checks ceiling
  directories when its search ascends to a parent directory.  A ceiling
  directory matching the starting directory will not prevent git from
  finding a repository in the starting directory or a parent directory.

263 264 265
* Do not fail when deleting remotes in the presence of broken
  global configs which contain branches.

David Turner committed
266 267
* Support for reading and writing git index v4 files

268 269
* Improve the performance of the revwalk and bring us closer to git's code.

270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287
* The reference db has improved support for concurrency and returns `GIT_ELOCKED`
  when an operation could not be performed due to locking.

* Nanosecond resolution is now activated by default, following git's change to
  do this.

* We now restrict the set of ciphers we let OpenSSL use by default.

* Users can now register their own merge drivers for use with `.gitattributes`.
  The library also gained built-in support for the union merge driver.

* The default for creating references is now to validate that the object does
  exist.

* Add `git_proxy_options` which is used by the different networking
  implementations to let the caller specify the proxy settings instead of
  relying on the environment variables.

288 289
### API additions

290 291 292 293
* You can now get the user-agent used by libgit2 using the
  `GIT_OPT_GET_USER_AGENT` option with `git_libgit2_opts()`.
  It is the counterpart to `GIT_OPT_SET_USER_AGENT`.

294 295 296
* The `GIT_OPT_SET_SSL_CIPHERS` option for `git_libgit2_opts()` lets you specify
  a custom list of ciphers to use for OpenSSL.

297
* `git_commit_create_buffer()` creates a commit and writes it into a
298 299 300
  user-provided buffer instead of writing it into the object db. Combine it with
  `git_commit_create_with_signature()` in order to create a commit with a
  cryptographic signature.
301

302 303 304 305 306
* `git_blob_create_fromstream()` and
  `git_blob_create_fromstream_commit()` allow you to create a blob by
  writing into a stream. Useful when you do not know the final size or
  want to copy the contents from another stream.

307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325
* New flags for `git_repository_open_ext`:

    * `GIT_REPOSITORY_OPEN_NO_DOTGIT` - Do not check for a repository by
      appending `/.git` to the `start_path`; only open the repository if
      `start_path` itself points to the git directory.
    * `GIT_REPOSITORY_OPEN_FROM_ENV` - Find and open a git repository,
      respecting the environment variables used by the git command-line
      tools. If set, `git_repository_open_ext` will ignore the other
      flags and the `ceiling_dirs` argument, and will allow a NULL
      `path` to use `GIT_DIR` or search from the current directory. The
      search for a repository will respect `$GIT_CEILING_DIRECTORIES`
      and `$GIT_DISCOVERY_ACROSS_FILESYSTEM`.  The opened repository
      will respect `$GIT_INDEX_FILE`, `$GIT_NAMESPACE`,
      `$GIT_OBJECT_DIRECTORY`, and `$GIT_ALTERNATE_OBJECT_DIRECTORIES`.
      In the future, this flag will also cause `git_repository_open_ext`
      to respect `$GIT_WORK_TREE` and `$GIT_COMMON_DIR`; currently,
      `git_repository_open_ext` with this flag will error out if either
      `$GIT_WORK_TREE` or `$GIT_COMMON_DIR` is set.

326
* `git_diff_from_buffer()` can create a `git_diff` object from the contents
327 328
  of a git-style patch file.

David Turner committed
329 330 331
* `git_index_version()` and `git_index_set_version()` to get and set
  the index version

332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367
* `git_odb_expand_ids()` lets you check for the existence of multiple
  objects at once.

* The new `git_blob_dup()`, `git_commit_dup()`, `git_tag_dup()` and
  `git_tree_dup()` functions provide type-specific wrappers for
  `git_object_dup()` to reduce noise and increase type safety for callers.

* `git_reference_dup()` lets you duplicate a reference to aid in ownership
  management and cleanup.

* `git_signature_from_buffer()` lets you create a signature from a string in the
  format that appear in objects.

* `git_tree_create_updated()` lets you create a tree based on another one
  together with a list of updates. For the covered update cases, it's more
  efficient than the `git_index` route.

* `git_apply_patch()` applies hunks from a `git_patch` to a buffer.

* `git_diff_to_buf()` lets you print an entire diff directory to a buffer,
  similar to how `git_patch_to_buf()` works.

* `git_proxy_init_options()` is added to initialize a `git_proxy_options`
  structure at run-time.

* `git_merge_driver_register()`, `git_merge_driver_unregister()` let you
  register and unregister a custom merge driver to be used when `.gitattributes`
  specifies it.

* `git_merge_driver_lookup()` can be used to look up a merge driver by name.

* `git_merge_driver_source_repo()`, `git_merge_driver_source_ancestor()`,
  `git_merge_driver_source_ours()`, `git_merge_driver_source_theirs()`,
  `git_merge_driver_source_file_options()` added as accessors to
  `git_merge_driver_source`.

368 369
### API removals

370 371 372
* `git_blob_create_fromchunks()` has been removed in favour of
  `git_blob_create_fromstream()`.

373 374
### Breaking API changes

375 376 377 378 379 380 381
* `git_packbuilder_object_count` and `git_packbuilder_written` now
  return a `size_t` instead of a `uint32_t` for more thorough
  compatibility with the rest of the library.

* `git_packbuiler_progress` now provides explicitly sized `uint32_t`
  values instead of `unsigned int`.

382 383 384
* `git_diff_file` now includes an `id_abbrev` field that reflects the
  number of nibbles set in the `id` field.

385 386 387 388 389 390 391
* `git_odb_backend` now has a `freshen` function pointer.  This optional
  function pointer is similar to the `exists` function, but it will update
  a last-used marker.  For filesystem-based object databases, this updates
  the timestamp of the file containing the object, to indicate "freshness".
  If this is `NULL`, then it will not be called and the `exists` function
  will be used instead.

392 393
* `git_remote_connect()` now accepts `git_proxy_options` argument, and
  `git_fetch_options` and `git_push_options` each have a `proxy_opts` field.
394

395 396 397 398
* `git_merge_options` now provides a `default_driver` that can be used
  to provide the name of a merge driver to be used to handle files changed
  during a merge.

399
v0.24
400 401 402 403
-------

### Changes or improvements

404 405 406 407
* Custom merge drivers can now be registered, which allows callers to
  configure callbacks to honor `merge=driver` configuration in
  `.gitattributes`.

408 409 410 411
* Custom filters can now be registered with wildcard attributes, for
  example `filter=*`.  Consumers should examine the attributes parameter
  of the `check` function for details.

412 413 414
* Symlinks are now followed when locking a file, which can be
  necessary when multiple worktrees share a base repository.

415 416 417
* You can now set your own user-agent to be sent for HTTP requests by
  using the `GIT_OPT_SET_USER_AGENT` with `git_libgit2_opts()`.

418 419 420
* You can set custom HTTP header fields to be sent along with requests
  by passing them in the fetch and push options.

421 422 423 424
* Tree objects are now assumed to be sorted. If a tree is not
  correctly formed, it will give bad results. This is the git approach
  and cuts a significant amount of time when reading the trees.

425 426 427 428 429 430 431 432 433
* Filter registration is now protected against concurrent
  registration.

* Filenames which are not valid on Windows in an index no longer cause
  to fail to parse it on that OS.

* Rebases can now be performed purely in-memory, without touching the
  repository's workdir.

434 435 436 437 438
* When adding objects to the index, or when creating new tree or commit
  objects, the inputs are validated to ensure that the dependent objects
  exist and are of the correct type.  This object validation can be
  disabled with the GIT_OPT_ENABLE_STRICT_OBJECT_CREATION option.

439 440 441
* The WinHTTP transport's handling of bad credentials now behaves like
  the others, asking for credentials again.

442 443
### API additions

444 445 446 447
* `git_config_lock()` has been added, which allow for
  transactional/atomic complex updates to the configuration, removing
  the opportunity for concurrent operations and not committing any
  changes until the unlock.
448

449 450 451 452 453
* `git_diff_options` added a new callback `progress_cb` to report on the
  progress of the diff as files are being compared. The documentation of
  the existing callback `notify_cb` was updated to reflect that it only
  gets called when new deltas are added to the diff.

454 455 456
* `git_fetch_options` and `git_push_options` have gained a `custom_headers`
  field to set the extra HTTP header fields to send.

457 458 459 460
* `git_stream_register_tls()` lets you register a callback to be used
  as the constructor for a TLS stream instead of the libgit2 built-in
  one.

461 462 463 464 465 466 467
* `git_commit_header_field()` allows you to look up a specific header
  field in a commit.

* `git_commit_extract_signature()` extracts the signature from a
  commit and gives you both the signature and the signed data so you
  can verify it.

468 469
### API removals

470 471
* No APIs were removed in this version.

472 473
### Breaking API changes

474 475 476 477 478 479 480 481
* The `git_merge_tree_flag_t` is now `git_merge_flag_t`.  Subsequently,
  its members are no longer prefixed with `GIT_MERGE_TREE_FLAG` but are
  now prefixed with `GIT_MERGE_FLAG`, and the `tree_flags` field of the
  `git_merge_options` structure is now named `flags`.

* The `git_merge_file_flags_t` enum is now `git_merge_file_flag_t` for
  consistency with other enum type names.

482 483
* `git_cert` descendent types now have a proper `parent` member

484
* It is the responsibility of the refdb backend to decide what to do
485 486 487
  with the reflog on ref deletion. The file-based backend must delete
  it, a database-backed one may wish to archive it.

488 489 490 491
* `git_config_backend` has gained two entries. `lock` and `unlock`
  with which to implement the transactional/atomic semantics for the
  configuration backend.

492 493 494 495 496
* `git_index_add` and `git_index_conflict_add()` will now use the case
  as provided by the caller on case insensitive systems.  Previous
  versions would keep the case as it existed in the index.  This does
  not affect the higher-level `git_index_add_bypath` or
  `git_index_add_frombuffer` functions.
497

498 499 500
* The `notify_payload` field of `git_diff_options` was renamed to `payload`
  to reflect that it's also the payload for the new progress callback.

501 502 503 504
* The `git_config_level_t` enum has gained a higher-priority value
  `GIT_CONFIG_LEVEL_PROGRAMDATA` which represent a rough Windows equivalent
  to the system level configuration.

505
* `git_rebase_options` now has a `merge_options` field.
506 507 508 509 510

* The index no longer performs locking itself. This is not something
  users of the library should have been relying on as it's not part of
  the concurrency guarantees.

511 512 513
* `git_remote_connect()` now takes a `custom_headers` argument to set
  the extra HTTP header fields to send.

514
v0.23
515 516
------

517 518
### Changes or improvements

519 520 521 522
* Patience and minimal diff drivers can now be used for merges.

* Merges can now ignore whitespace changes.

523 524 525
* Updated binary identification in CRLF filtering to avoid false positives in
  UTF-8 files.

526 527
* Rename and copy detection is enabled for small files.

528 529 530
* Checkout can now handle an initial checkout of a repository, making
  `GIT_CHECKOUT_SAFE_CREATE` unnecessary for users of clone.

531 532 533 534
* The signature parameter in the ref-modifying functions has been
  removed. Use `git_repository_set_ident()` and
  `git_repository_ident()` to override the signature to be used.

535 536 537
* The local transport now auto-scales the number of threads to use
  when creating the packfile instead of sticking to one.

538 539 540 541 542 543
* Reference renaming now uses the right id for the old value.

* The annotated version of branch creation, HEAD detaching and reset
  allow for specifying the expression from the user to be put into the
  reflog.

544
* `git_rebase_commit` now returns `GIT_EUNMERGED` when you attempt to
545 546
  commit with unstaged changes.

547
* On Mac OS X, we now use SecureTransport to provide the cryptographic
548
  support for HTTPS connections insead of OpenSSL.
549

550 551 552
* Checkout can now accept an index for the baseline computations via the
  `baseline_index` member.

553 554 555 556 557
* The configuration for fetching is no longer stored inside the
  `git_remote` struct but has been moved to a `git_fetch_options`. The
  remote functions now take these options or the callbacks instead of
  setting them beforehand.

558 559 560 561
* `git_submodule` instances are no longer cached or shared across
  lookup. Each submodule represents the configuration at the time of
  loading.

562 563 564
* The index now uses diffs for `add_all()` and `update_all()` which
  gives it a speed boost and closer semantics to git.

565 566 567 568
* The ssh transport now reports the stderr output from the server as
  the error message, which allows you to get the "repository not
  found" messages.

569 570
* `git_index_conflict_add()` will remove staged entries that exist for
  conflicted paths.
571

572 573 574 575
* The flags for a `git_diff_file` will now have the `GIT_DIFF_FLAG_EXISTS`
  bit set when a file exists on that side of the diff.  This is useful
  for understanding whether a side of the diff exists in the presence of
  a conflict.
576

577 578 579 580
* The constructor for a write-stream into the odb now takes
  `git_off_t` instead of `size_t` for the size of the blob, which
  allows putting large files into the odb on 32-bit systems.

581 582 583 584
* The remote's push and pull URLs now honor the url.$URL.insteadOf
  configuration. This allows modifying URL prefixes to a custom
  value via gitconfig.

585 586 587 588
* `git_diff_foreach`, `git_diff_blobs`, `git_diff_blob_to_buffer`,
  and `git_diff_buffers` now accept a new binary callback of type
  `git_diff_binary_cb` that includes the binary diff information.

589 590 591
* The race condition mitigations described in `racy-git.txt` have been
  implemented.

592 593 594
* If libcurl is installed, we will use it to connect to HTTP(S)
  servers.

595 596
### API additions

597 598
* The `git_merge_options` gained a `file_flags` member.

599 600 601 602
* Parsing and retrieving a configuration value as a path is exposed
  via `git_config_parse_path()` and `git_config_get_path()`
  respectively.

603 604 605 606
* `git_repository_set_ident()` and `git_repository_ident()` serve to
  set and query which identity will be used when writing to the
  reflog.

607 608 609 610 611
* `git_config_entry_free()` frees a config entry.

* `git_config_get_string_buf()` provides a way to safely retrieve a
  string from a non-snapshot configuration.

612 613 614 615 616 617 618 619
* `git_annotated_commit_from_revspec()` allows to get an annotated
  commit from an extended sha synatx string.

* `git_repository_set_head_detached_from_annotated()`,
  `git_branch_create_from_annotated()` and
  `git_reset_from_annotated()` allow for the caller to provide an
  annotated commit through which they can control what expression is
  put into the reflog as the source/target.
620

621
* `git_index_add_frombuffer()` can now create a blob from memory
622 623 624 625 626 627 628 629 630
  buffer and add it to the index which is attached to a repository.

* The structure `git_fetch_options` has been added to determine the
  runtime configuration for fetching, such as callbacks, pruning and
  autotag behaviour. It has the runtime initializer
  `git_fetch_init_options()`.

* The enum `git_fetch_prune_t` has been added, letting you specify the
  pruning behaviour for a fetch.
631

632 633 634 635
* A push operation will notify the caller of what updates it indends
  to perform on the remote, which provides similar information to
  git's pre-push hook.

636 637 638 639 640 641
* `git_stash_apply()` can now apply a stashed state from the stash list,
  placing the data into the working directory and index.

* `git_stash_pop()` will apply a stashed state (like `git_stash_apply()`)
  but will remove the stashed state after a successful application.

642 643 644 645 646
* A new error code `GIT_EEOF` indicates an early EOF from the
  server. This typically indicates an error with the URL or
  configuration of the server, and tools can use this to show messages
  about failing to communicate with the server.

647 648 649
* A new error code `GIT_EINVALID` indicates that an argument to a
  function is invalid, or an invalid operation was requested.

650 651 652 653 654 655 656 657
* `git_diff_index_to_workdir()` and `git_diff_tree_to_index()` will now
  produce deltas of type `GIT_DELTA_CONFLICTED` to indicate that the index
  side of the delta is a conflict.

* The `git_status` family of functions will now produce status of type
  `GIT_STATUS_CONFLICTED` to indicate that a conflict exists for that file
  in the index.

658 659 660 661
* `git_index_entry_is_conflict()` is a utility function to determine if
  a given index entry has a non-zero stage entry, indicating that it is
  one side of a conflict.

662 663 664 665
* It is now possible to pass a keypair via a buffer instead of a
  path. For this, `GIT_CREDTYPE_SSH_MEMORY` and
  `git_cred_ssh_key_memory_new()` have been added.

666 667 668
* `git_filter_list_contains` will indicate whether a particular
  filter will be run in the given filter list.

669 670 671
* `git_commit_header_field()` has been added, which allows retrieving
  the contents of an arbitrary header field.

672 673 674
* `git_submodule_set_branch()` allows to set the configured branch for
  a submodule.

675 676
### API removals

677
* `git_remote_save()` and `git_remote_clear_refspecs()` have been
678 679 680 681 682
  removed. Remote's configuration is changed via the configuration
  directly or through a convenience function which performs changes to
  the configuration directly.

* `git_remote_set_callbacks()`, `git_remote_get_callbacks()` and
683
  `git_remote_set_transport()` have been removed and the remote no
684 685
  longer stores this configuration.

686 687 688 689
* `git_remote_set_fetch_refpecs()` and
  `git_remote_set_push_refspecs()` have been removed. There is no
  longer a way to set the base refspecs at run-time.

690 691 692
* `git_submodule_save()` has been removed. The submodules are no
  longer configured via the objects.

693 694 695
* `git_submodule_reload_all()` has been removed as we no longer cache
  submodules.

696 697
### Breaking API changes

698 699
* `git_smart_subtransport_cb` now has a `param` parameter.

700 701 702
* The `git_merge_options` structure member `flags` has been renamed
  to `tree_flags`.

Shawn Landden committed
703
* The `git_merge_file_options` structure member `flags` is now
704 705
  an unsigned int. It was previously a `git_merge_file_flags_t`.

706 707 708 709 710
* `GIT_CHECKOUT_SAFE_CREATE` has been removed.  Most users will generally
  be able to switch to `GIT_CHECKOUT_SAFE`, but if you require missing
  file handling during checkout, you may now use `GIT_CHECKOUT_SAFE |
  GIT_CHECKOUT_RECREATE_MISSING`.

711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729
* The `git_clone_options` and `git_submodule_update_options`
  structures no longer have a `signature` field.

* The following functions have removed the signature and/or log message
  parameters in favour of git-emulating ones.

    * `git_branch_create()`, `git_branch_move()`
    * `git_rebase_init()`, `git_rebase_abort()`
    * `git_reference_symbolic_create_matching()`,
      `git_reference_symbolic_create()`, `git_reference_create()`,
      `git_reference_create_matching()`,
      `git_reference_symbolic_set_target()`,
      `git_reference_set_target()`, `git_reference_rename()`
    * `git_remote_update_tips()`, `git_remote_fetch()`, `git_remote_push()`
    * `git_repository_set_head()`,
      `git_repository_set_head_detached()`,
      `git_repository_detach_head()`
    * `git_reset()`

730 731 732 733 734 735 736
* `git_config_get_entry()` now gives back a ref-counted
  `git_config_entry`. You must free it when you no longer need it.

* `git_config_get_string()` will return an error if used on a
  non-snapshot configuration, as there can be no guarantee that the
  returned pointer is valid.

737 738 739
* `git_note_default_ref()` now uses a `git_buf` to return the string,
  as the string is otherwise not guaranteed to stay allocated.

740 741 742 743
* `git_rebase_operation_current()` will return `GIT_REBASE_NO_OPERATION`
  if it is called immediately after creating a rebase session but before
  you have applied the first patch.

744 745
* `git_rebase_options` now contains a `git_checkout_options` struct
  that will be used for functions that modify the working directory,
746 747
  namely `git_rebase_init`, `git_rebase_next` and
  `git_rebase_abort`.  As a result, `git_rebase_open` now also takes
748
  a `git_rebase_options` and only the `git_rebase_init` and
749 750 751
  `git_rebase_open` functions take a `git_rebase_options`, where they
  will persist the options to subsequent `git_rebase` calls.

752 753 754 755
* The `git_clone_options` struct now has fetch options in a
  `fetch_opts` field instead of remote callbacks in
  `remote_callbacks`.

756 757 758
* The remote callbacks has gained a new member `push_negotiation`
  which gets called before sending the update commands to the server.

759
* The following functions no longer act on a remote instance but
760 761 762 763 764 765 766 767 768 769
  change the repository's configuration. Their signatures have changed
  accordingly:

    * `git_remote_set_url()`, `git_remote_seturl()`
    * `git_remote_add_fetch()`, `git_remote_add_push()` and
    * `git_remote_set_autotag()`

* `git_remote_connect()` and `git_remote_prune()` now take a pointer
  to the callbacks.

770
* `git_remote_fetch()` and `git_remote_download()` now take a pointer
771 772 773
  to fetch options which determine the runtime configuration.

* The `git_remote_autotag_option_t` values have been changed. It has
774
  gained a `_UNSPECIFIED` default value to specify no override for the
775 776 777 778 779 780
  configured setting.

* `git_remote_update_tips()` now takes a pointer to the callbacks as
  well as a boolean whether to write `FETCH_HEAD` and the autotag
  setting.

781 782 783
* `git_remote_create_anonymous()` no longer takes a fetch refspec as
  url-only remotes cannot have configured refspecs.

784 785 786 787
* The `git_submodule_update_options` struct now has fetch options in
  the `fetch_opts` field instead of callbacks in the
  `remote_callbacks` field.

788 789 790 791 792 793 794 795 796 797 798
* The following functions no longer act on a submodule instance but
  change the repository's configuration. Their signatures have changed
  accordingly:

    * `git_submodule_set_url()`, `git_submodule_set_ignore()`,
      `git_submodule_set_update()`,
      `git_submodule_set_fetch_recurse_submodules()`.

* `git_submodule_status()` no longer takes a submodule instance but a
  repsitory, a submodule name and an ignore setting.

799 800 801
* The `push` function in the `git_transport` interface now takes a
  pointer to the remote callbacks.

802 803 804 805 806
* The `git_index_entry` struct's fields' types have been changed to
  more accurately reflect what is in fact stored in the
  index. Specifically, time and file size are 32 bits intead of 64, as
  these values are truncated.

807 808 809
* `GIT_EMERGECONFLICT` is now `GIT_ECONFLICT`, which more accurately
  describes the nature of the error.

810 811 812
* It is no longer allowed to call `git_buf_grow()` on buffers
  borrowing the memory they point to.

813
v0.22
814 815
------

816
### Changes or improvements
817

818
* `git_signature_new()` now requires a non-empty email address.
819

820
* Use CommonCrypto libraries for SHA-1 calculation on Mac OS X.
821

822 823
* Disable SSL compression and SSLv2 and SSLv3 ciphers in favor of TLSv1
  in OpenSSL.
824

825 826 827
* The fetch behavior of remotes with autotag set to `GIT_REMOTE_DOWNLOAD_TAGS_ALL`
  has been changed to match git 1.9.0 and later. In this mode, libgit2 now
  fetches all tags in addition to whatever else needs to be fetched.
828

829 830
* `git_checkout()` now handles case-changing renames correctly on
  case-insensitive filesystems; for example renaming "readme" to "README".
831

832 833
* The search for libssh2 is now done via pkg-config instead of a
  custom search of a few directories.
834

835 836
* Add support for core.protectHFS and core.protectNTFS. Add more
  validation for filenames which we write such as references.
837

838 839
* The local transport now generates textual progress output like
  git-upload-pack does ("counting objects").
840

841 842 843 844
* `git_checkout_index()` can now check out an in-memory index that is not
  necessarily the repository's index, so you may check out an index
  that was produced by git_merge and friends while retaining the cached
  information.
845

846 847
* Remove the default timeout for receiving / sending data over HTTP using
  the WinHTTP transport layer.
848

849
* Add SPNEGO (Kerberos) authentication using GSSAPI on Unix systems.
850

851 852
* Provide built-in objects for the empty blob (e69de29) and empty
  tree (4b825dc) objects.
853

854 855
* The index' tree cache is now filled upon read-tree and write-tree
  and the cache is written to disk.
856

857
* LF -> CRLF filter refuses to handle mixed-EOL files
858

859
* LF -> CRLF filter now runs when * text = auto (with Git for Windows 1.9.4)
860

861 862
* File unlocks are atomic again via rename. Read-only files on Windows are
  made read-write if necessary.
863

864
* Share open packfiles across repositories to share descriptors and mmaps.
865

866
* Use a map for the treebuilder, making insertion O(1)
867

868 869 870
* The build system now accepts an option EMBED_SSH_PATH which when set
  tells it to include a copy of libssh2 at the given location. This is
  enabled for MSVC.
871 872 873

* Add support for refspecs with the asterisk in the middle of a
  pattern.
874

875 876
* Fetching now performs opportunistic updates. To achieve this, we
  introduce a difference between active and passive refspecs, which
877
  make `git_remote_download()` and `git_remote_fetch()` to take a list of
878 879 880
  resfpecs to be the active list, similarly to how git fetch accepts a
  list on the command-line.

881 882
* The THREADSAFE option to build libgit2 with threading support has
  been flipped to be on by default.
883

884 885 886 887 888 889 890
* The remote object has learnt to prune remote-tracking branches. If
  the remote is configured to do so, this will happen via
  `git_remote_fetch()`. You can also call `git_remote_prune()` after
  connecting or fetching to perform the prune.


### API additions
891

892 893 894 895 896 897 898 899 900 901 902
* Introduce `git_buf_text_is_binary()` and `git_buf_text_contains_nul()` for
  consumers to perform binary detection on a git_buf.

* `git_branch_upstream_remote()` has been introduced to provide the
  branch.<name>.remote configuration value.

* Introduce `git_describe_commit()` and `git_describe_workdir()` to provide
  a description of the current commit (and working tree, respectively)
  based on the nearest tag or reference

* Introduce `git_merge_bases()` and the `git_oidarray` type to expose all
903
  merge bases between two commits.
904

905
* Introduce `git_merge_bases_many()` to expose all merge bases between
906
  multiple commits.
907 908

* Introduce rebase functionality (using the merge algorithm only).
909 910 911 912 913
  Introduce `git_rebase_init()` to begin a new rebase session,
  `git_rebase_open()` to open an in-progress rebase session,
  `git_rebase_commit()` to commit the current rebase operation,
  `git_rebase_next()` to apply the next rebase operation,
  `git_rebase_abort()` to abort an in-progress rebase and `git_rebase_finish()`
914 915
  to complete a rebase operation.

916 917
* Introduce `git_note_author()` and `git_note_committer()` to get the author
  and committer information on a `git_note`, respectively.
918

919 920 921
* A factory function for ssh has been added which allows to change the
  path of the programs to execute for receive-pack and upload-pack on
  the server, `git_transport_ssh_with_paths()`.
922

923 924 925 926 927
* The ssh transport supports asking the remote host for accepted
  credential types as well as multiple challeges using a single
  connection. This requires to know which username you want to connect
  as, so this introduces the USERNAME credential type which the ssh
  transport will use to ask for the username.
928

929 930 931
* The `GIT_EPEEL` error code has been introduced when we cannot peel a tag
  to the requested object type; if the given object otherwise cannot be
  peeled, `GIT_EINVALIDSPEC` is returned.
932

933 934
* Introduce `GIT_REPOSITORY_INIT_RELATIVE_GITLINK` to use relative paths
  when writing gitlinks, as is used by git core for submodules.
935

936
* `git_remote_prune()` has been added. See above for description.
937

938

939 940 941 942
* Introduce reference transactions, which allow multiple references to
  be locked at the same time and updates be queued. This also allows
  us to safely update a reflog with arbitrary contents, as we need to
  do for stash.
943

944
### API removals
945

946 947 948 949 950 951 952 953 954 955 956
* `git_remote_supported_url()` and `git_remote_is_valid_url()` have been
  removed as they have become essentially useless with rsync-style ssh paths.

* `git_clone_into()` and `git_clone_local_into()` have been removed from the
  public API in favour of `git_clone callbacks`.

* The option to ignore certificate errors via `git_remote_cert_check()`
  is no longer present. Instead, `git_remote_callbacks` has gained a new
  entry which lets the user perform their own certificate checks.

### Breaking API changes
957

958 959 960 961 962 963 964
* `git_cherry_pick()` is now `git_cherrypick()`.

* The `git_submodule_update()` function was renamed to
  `git_submodule_update_strategy()`. `git_submodule_update()` is now used to
  provide functionalty similar to "git submodule update".

* `git_treebuilder_create()` was renamed to `git_treebuilder_new()` to better
965 966
  reflect it being a constructor rather than something which writes to
  disk.
967

968 969 970
* `git_treebuilder_new()` (was `git_treebuilder_create()`) now takes a
  repository so that it can query repository configuration.
  Subsequently, `git_treebuilder_write()` no longer takes a repository.
971

972 973 974
* `git_threads_init()` and `git_threads_shutdown()` have been renamed to
  `git_libgit2_init()` and `git_libgit2_shutdown()` to better explain what
  their purpose is, as it's grown to be more than just about threads.
975

976 977 978
* `git_libgit2_init()` and `git_libgit2_shutdown()` now return the number of
  initializations of the library, so consumers may schedule work on the
  first initialization.
979

980 981
* The `git_transport_register()` function no longer takes a priority and takes
  a URL scheme name (eg "http") instead of a prefix like "http://"
982

983 984
* `git_index_name_entrycount()` and `git_index_reuc_entrycount()` now
  return size_t instead of unsigned int.
985

986 987 988 989
* The `context_lines` and `interhunk_lines` fields in `git_diff`_options are
  now `uint32_t` instead of `uint16_t`. This allows to set them to `UINT_MAX`,
  in effect asking for "infinite" context e.g. to iterate over all the
  unmodified lines of a diff.
990

991 992
* `git_status_file()` now takes an exact path. Use `git_status_list_new()` if
  pathspec searching is needed.
993

994 995
* `git_note_create()` has changed the position of the notes reference
  name to match `git_note_remove()`.
996

997 998
* Rename `git_remote_load()` to `git_remote_lookup()` to bring it in line
  with the rest of the lookup functions.
999

1000 1001 1002 1003
* `git_remote_rename()` now takes the repository and the remote's
  current name. Accepting a remote indicates we want to change it,
  which we only did partially. It is much clearer if we accept a name
  and no loaded objects are changed.
1004

1005 1006
* `git_remote_delete()` now accepts the repository and the remote's name
  instead of a loaded remote.
1007

1008 1009
* `git_merge_head` is now `git_annotated_commit`, to better reflect its usage
  for multiple functions (including rebase)
1010

1011 1012
* The `git_clone_options` struct no longer provides the `ignore_cert_errors` or
  `remote_name` members for remote customization.
1013

1014 1015 1016 1017
  Instead, the `git_clone_options` struct has two new members, `remote_cb` and
  `remote_cb_payload`, which allow the caller to completely override the remote
  creation process. If needed, the caller can use this callback to give their
  remote a name other than the default (origin) or disable cert checking.
1018

1019 1020
  The `remote_callbacks` member has been preserved for convenience, although it
  is not used when a remote creation callback is supplied.
1021

1022 1023 1024
* The `git_clone`_options struct now provides `repository_cb` and
  `repository_cb_payload` to allow the user to create a repository with
  custom options.
1025

1026 1027 1028 1029 1030
* The `git_push` struct to perform a push has been replaced with
  `git_remote_upload()`. The refspecs and options are passed as a
  function argument. `git_push_update_tips()` is now also
  `git_remote_update_tips()` and the callbacks are in the same struct as
  the rest.
1031

1032 1033
* The `git_remote_set_transport()` function now sets a transport factory function,
  rather than a pre-existing transport instance.
1034

1035 1036 1037 1038 1039 1040 1041
* The `git_transport` structure definition has moved into the sys/transport.h
  file.

* libgit2 no longer automatically sets the OpenSSL locking
  functions. This is not something which we can know to do. A
  last-resort convenience function is provided in sys/openssl.h,
  `git_openssl_set_locking()` which can be used to set the locking.