When parsing attributes, we need to search for the first
unescaped whitespace character to determine where the pattern is
to be cut off. The scan fails to account for the case where the
escaping '\' character is itself escaped, though, and thus we
would not recognize the cut-off point in patterns like "\\ ".

Refactor the scanning loop to remember whether the last character
was an escape character. If it was and the next character is a
'\', too, then we will reset to non-escaped mode again. Thus, we
now handle escaped whitespaces as well as escaped wildcards
correctly.

Windows-based systems treat paths starting with '\' as absolute,
either referring to the current drive's root (e.g. "\foo" might
refer to "C:\foo") or to a network path (e.g. "\\host\foo"). On
the other hand, (most?) systems that are not based on Win32
accept backslashes as valid characters that may be part of the
filename, and thus we cannot treat them to identify absolute
paths.

Change the logic to only paths starting with '\' as absolute on
the Win32 platform. Add tests to avoid regressions and document
behaviour.

We had several occasions where tests for the gitignore had been
added to status::ignore instead of the easier-to-handle
attr::ignore test suite. This most likely resulted from the fact
that the attr::ignore test suite is not easy to discover inside
of the attr folder. Furthermore, ignore being part of the
attributes code is an implementation detail, only, and thus
shouldn't be stressed as much.

Improve this by moving both attr::ignore and status::ignore tests
into a new ignore test suite.

The "ignore.c.bak" file has accidentally been checked in via
commit 19164901 (ignore: test that leading whitespace is
significant, 2019-05-19) and should obviously not be part of our
test suites. Delete it.

ignore: handle escaped trailing whitespace

Ignore: only treat one leading slash as a root identifier

The gitignore's pattern format specifies that "Trailing spaces
are ignored unless they are quoted with backslash ("\")". We do
not honor this currently and will treat a pattern "foo\ " as if
it was "foo\" only and a pattern "foo\ \ " as "foo\ \".

Fix our code to handle those special cases and add tests to avoid
regressions.

The stripping of trailing spaces currently happens as part of
`git_attr_fnmatch__parse`. As we aren't currently parsing
trailing whitespaces correct in case they're escaped, we'll have
to change that code, though. To make actual behavioural change
easier to review, refactor the code up-front by pulling it out
into its own function that is expected to retain the exact same
functionality as before. Like this, the fix will be trivial to
apply.

online tests: use gitlab for auth failures

GitHub recently changed their behavior from returning 401s for private
or nonexistent repositories on a clone to returning 404s.  For our tests
that require an auth failure (and 401), move to GitLab to request a
missing repository.  This lets us continue to test our auth failure
case, at least until they decide to mimic that decision.

Ignore files: don't ignore whitespace

Unlike ignore files, gitattribute files can have flexible whitespace at
the beginning of the line.  Ensure that by adding new ignore rules that
we have not impeded correct parsing of attribute files.

When `allow_space` is unset, ensure that leading whitespace is not
skipped.

Comments must have a '#' at the beginning of the line.  For
compatibility with git, '#' after a whitespace is a literal part of the
filename.

Ensure that leading whitespace is treated as being part of the filename,
eg ` foo` in an ignore file indicates that a file literally named ` foo`
is ignored.

cache: fix cache eviction using deallocated key

SECURITY.md: split out security-relevant bits from readme

When evicting cache entries, we first retrieve the object that is
to be evicted, delete the object and then finally delete the key
from the cache. In case where the cache eviction caused us to
free the cached object, though, its key will point to invalid
memory now when trying to remove it from the cache map. On my
system, this causes us to not properly remove the key from the
map, as its memory has been overwritten already and thus the key
lookup it will fail and we cannot delete it.

Fix this by only decrementing the refcount of the evictee after
we have removed it from our cache map. Add a test that caused a
segfault previous to that change.

Restore NetBSD support

See: https://www.netbsd.org/changes/changes-7.0.html

GitHub has recently introduced a new set of tools that aims to
ease the process around vulnerability reports and security fixes.
Part of those tools is a new security tab for projects that will
display contents from a new SECURITY.md file.

Move relevant parts from README.md to this new file to make use
of this feature.

repository: fix garbage return value

error was never initialized and a garbage value returned on success.

cmake: disable fallthrough warnings for PCRE

Our PCRE dependency has uncommented fallthroughs in switch statements.
Turn off warnings for those in the PCRE code.

Configuration parsing: validate section headers with quotes

The `parse_section_header_ext` name suggests that it as an extended
function for parsing the section header.  It is not.  Rename it to
`parse_subsection_header` to better reflect its true mission.

When we reach a whitespace after a section name, we assume that what
will follow will be a quoted subsection name.  Pass the current position
of the line being parsed to the subsection parser, so that it can
validate that subsequent characters are additional whitespace or a
single quote.

Previously we would begin parsing after the section name, looking for
the first quotation mark.  This allows invalid characters to embed
themselves between the end of the section name and the first quotation
mark, eg `[section foo "subsection"]`, which is illegal.

When we don't specify a particular column, don't write it in the error
message.  (column "0" is unhelpful.)

Update the configuration parsing error messages to be lower-cased for
consistency with the rest of the library.

Loosen restriction on wildcard "*" refspecs

Use PCRE for our fallback regex engine when regcomp_l is unavailable

Remote URL last-chance resolution

Explicitly enable the `builtin` regex backend and the PCRE backend for
some Linux builds.

Since libssh2 doesn't read host configuration from the config file,
this callback can be used to hand over URL resolving to the client
without touching the SSH implementation itself.

This avoids any misunderstanding with the REGEX keyword in cmake.

Skip UTF8 BOM in ignore files

We've already added `ZLIB_LIBRARIES` to `LIBGIT2_LIBS` so don't also add the `z` library