Honor 'GIT_USE_NSEC' option in `filesystem_iterator_set_current`

Use longer conflict markers in recursive merge base

status::renames: test update for APFS (write NFD instead of NFC filename)

This should have been part of PR #3638. Without this we still get 
nsec-related errors, even when using -DGIT_USE_NSEC:

 error: ‘struct stat’ has no member named ‘st_mtime_nsec’

Special-casing null OIDs

README.md: add notes on how to report security issues

The null OID (hash with all zeroes) indicates a missing object in
upstream git and is thus not a valid object ID. Add defensive
measurements to avoid writing such a hash to the object database in the
very unlikely case where some data results in the null OID. Furthermore,
add shortcuts when reading the null OID from the ODB to avoid ever
returning an object when a faulty repository may contain the null OID.

In commit a96d3cc3f (cache-tree: reject entries with null sha1,
2017-04-21), the git.git project has changed its stance on null OIDs in
tree objects. Previously, null OIDs were accepted in tree entries to
help tools repair broken history. This resulted in some problems though
in that many code paths mistakenly passed null OIDs to be added to a
tree, which was not properly detected.

Align our own code base according to the upstream change and reject
writing tree entries early when the OID is all-zero.

odb: export mempack backend

Fixes #4492, #4496.

Update the status::renames test to create an NFD format filename in the
core.precomposedunicode tests.

Previously, we would create an NFC format filename.  This was to take
advantage of HFS+ filesystems, which always use canonically decomposed
formats, and would actually write the filename to disk as an NFD
filename.  So previously, we could create an NFC filename, but read it
normally as an NFD filename.

But APFS formats do not force canonically decomposed formats for
filenames, so creating an NFC filename does not get converted to NFD.
Instead, the filename will be written in NFC format.  Our test,
therefore, does not work - when we write an NFC filename, it will
_remain_ NFC.

Update the test to write NFD always.  This will ensure that the file
will actually be canonically decomposed on all platforms:  HFS+, which
forces NFD, and APFS, which does not.

Thus, our test will continue to ensure that an NFD filename is
canonically precomposed on all filesystems.

Git uses longer conflict markers in the recursive merge base - two more
than the default (thus, 9 character long conflict markers).  This allows
users to tell the difference between the recursive merge conflicts and
conflicts between the ours and theirs branches.

This was introduced in git d694a17986a28bbc19e2a6c32404ca24572e400f.

Update our tests to expect this as well.

Allow for a custom conflict marker size, allowing callers to override
the default size of the "<<<<<<<" and ">>>>>>>" markers in the
conflicted output file.

branch: refuse creating branches named 'HEAD'

refs: include " sorted " in our packed-refs header

message: update docs for git_message_prettify

tests: online::clone: fix memory leak due to not freeing URL

Since a625b092c (branch: correctly reject refs/heads/{-dash,HEAD},
2017-11-14), which is included in v2.16.0, upstream git refuses to
create branches which are named HEAD to avoid ambiguity with the
symbolic HEAD reference. Adjust our own code to match that behaviour and
reject creating branches names HEAD.

We used to hard-code the octothorpe as the comment character and the
documentation still mentions this even though we accept the comment character as
a parameter.

Update the line to indicate this and clean up the first paragraph a bit.

Implement message trailer parsing API

Memory leaks

This lets git know that we do in fact have written our packed-refs file
sorted (which is apparently not necessarily the case) and it can then use the
new-ish mmaped access which lets it avoid significant amounts of effort parsing
potentially large files to get to a single piece of data.

The test refs::iterator::foreach_name iterates through every reference
and copies its name into a local vector. While the test makes sure to
free the vector afterwards, the copied reference names are not being
free'd. Fix that.

References passed to the callback function of `git_reference_foreach`
are expected to be owned by the callback. As such, they are never being
freed by `git_reference_foreach`, but will have to be freed by the
caller. This small detail is never mentioned in the function's
documentation, though, making it easy to get wrong. Document this to
make it discoverable.

Upon downloading the pack file, the local transport will iterate through
every reference using `git_reference_foreach`. The function is a bit
tricky though in that it requires the passed callback to free the
references, which does not currently happen.

Fix the memory leak by freeing all passed references in the callback.

Two tests in network::fetchlocal explicitly set a cleanup function to
free and remove the created sandbox repositories. This is not necessary,
though, as the cleanup function executed after each test already takes
care of cleaning up after them. Remove the code to avoid needless code
duplication.

travis: fetch trusty dependencies from Bintray

The VM on Travis apparently will still proceed, but it's good practice.

The trusty dependencies are now hosted on Bintray.

cmake: use a FEATURE_SUMMARY call compatible with 3.0.2