Document how to run it locally on macOS & Linux

Callback type names should be suffixed with `_cb`

tests: checkout: fix symlink.git being created outside of sandbox

The trace logging callbacks should match the other callback naming
conventions, using the `_cb` suffix instead of a `_callback` suffix.

The credential callbacks should match the other callback naming
conventions, using the `_cb` suffix instead of a `_callback` suffix.

The function `populate_symlink_workdir` creates a new
"symlink.git" repository with a relative path "../symlink.git".
As the current working directory is the sandbox, the new
repository will be created just outside of the sandbox.

Fix this by using `clar_sandbox_path`.

ignore: handle escaped trailing whitespace

Ignore: only treat one leading slash as a root identifier

The gitignore's pattern format specifies that "Trailing spaces
are ignored unless they are quoted with backslash ("\")". We do
not honor this currently and will treat a pattern "foo\ " as if
it was "foo\" only and a pattern "foo\ \ " as "foo\ \".

Fix our code to handle those special cases and add tests to avoid
regressions.

The stripping of trailing spaces currently happens as part of
`git_attr_fnmatch__parse`. As we aren't currently parsing
trailing whitespaces correct in case they're escaped, we'll have
to change that code, though. To make actual behavioural change
easier to review, refactor the code up-front by pulling it out
into its own function that is expected to retain the exact same
functionality as before. Like this, the fix will be trivial to
apply.

online tests: use gitlab for auth failures

GitHub recently changed their behavior from returning 401s for private
or nonexistent repositories on a clone to returning 404s.  For our tests
that require an auth failure (and 401), move to GitLab to request a
missing repository.  This lets us continue to test our auth failure
case, at least until they decide to mimic that decision.

Ignore files: don't ignore whitespace

Unlike ignore files, gitattribute files can have flexible whitespace at
the beginning of the line.  Ensure that by adding new ignore rules that
we have not impeded correct parsing of attribute files.

When `allow_space` is unset, ensure that leading whitespace is not
skipped.

Comments must have a '#' at the beginning of the line.  For
compatibility with git, '#' after a whitespace is a literal part of the
filename.

Ensure that leading whitespace is treated as being part of the filename,
eg ` foo` in an ignore file indicates that a file literally named ` foo`
is ignored.

cache: fix cache eviction using deallocated key

SECURITY.md: split out security-relevant bits from readme

When evicting cache entries, we first retrieve the object that is
to be evicted, delete the object and then finally delete the key
from the cache. In case where the cache eviction caused us to
free the cached object, though, its key will point to invalid
memory now when trying to remove it from the cache map. On my
system, this causes us to not properly remove the key from the
map, as its memory has been overwritten already and thus the key
lookup it will fail and we cannot delete it.

Fix this by only decrementing the refcount of the evictee after
we have removed it from our cache map. Add a test that caused a
segfault previous to that change.

Restore NetBSD support

See: https://www.netbsd.org/changes/changes-7.0.html

GitHub has recently introduced a new set of tools that aims to
ease the process around vulnerability reports and security fixes.
Part of those tools is a new security tab for projects that will
display contents from a new SECURITY.md file.

Move relevant parts from README.md to this new file to make use
of this feature.

repository: fix garbage return value

error was never initialized and a garbage value returned on success.

cmake: disable fallthrough warnings for PCRE

Our PCRE dependency has uncommented fallthroughs in switch statements.
Turn off warnings for those in the PCRE code.

Configuration parsing: validate section headers with quotes

The `parse_section_header_ext` name suggests that it as an extended
function for parsing the section header.  It is not.  Rename it to
`parse_subsection_header` to better reflect its true mission.

When we reach a whitespace after a section name, we assume that what
will follow will be a quoted subsection name.  Pass the current position
of the line being parsed to the subsection parser, so that it can
validate that subsequent characters are additional whitespace or a
single quote.

Previously we would begin parsing after the section name, looking for
the first quotation mark.  This allows invalid characters to embed
themselves between the end of the section name and the first quotation
mark, eg `[section foo "subsection"]`, which is illegal.

When we don't specify a particular column, don't write it in the error
message.  (column "0" is unhelpful.)

Update the configuration parsing error messages to be lower-cased for
consistency with the rest of the library.

Loosen restriction on wildcard "*" refspecs

Use PCRE for our fallback regex engine when regcomp_l is unavailable

Remote URL last-chance resolution

Explicitly enable the `builtin` regex backend and the PCRE backend for
some Linux builds.

Since libssh2 doesn't read host configuration from the config file,
this callback can be used to hand over URL resolving to the client
without touching the SSH implementation itself.

This avoids any misunderstanding with the REGEX keyword in cmake.

Skip UTF8 BOM in ignore files

We've already added `ZLIB_LIBRARIES` to `LIBGIT2_LIBS` so don't also add the `z` library