Game of Trees Hub2d ago

All our hosted VMs have been updated to #GameOfTrees 0.125, with additional fixes relevant to repositories which make extensive use of merge commits in their #Git workflow (which seems to be the exception at present).

In case you ever run into errors about missing objects while fetching or sending please contact us here, or on IRC, or by email, and we will work it out. The cause for such problems is now well understood, the gotd server running on gothub.org VMs has been fixed, and we know how to repair affected repositories.

Show threadDave 🌱5d ago
#Microsoft has been passionately ruining everything #GitHub was to many, duct taping #LLM slop anywhere and everywhere. And #GitLab looks at this and thinks... Yeah, let's do that too, that looks awesome?

This is pathetic.

I guess all hope for open source and hopefully slop-free solutions that can help build and maintain communities around code now really truly lie with #Forgejo, #SourceHut, #GameOfTrees, and something like #cgit I suppose? But for how long will that remain true?

Damn.
Peter N. M. Hansteen6d ago
Game of Trees 0.125 released https://www.undeadly.org/cgi?action=article;sid=20260512052610 #openbsd #gameoftrees #got #git #development #versioncontrol #sourcecontrol #freesoftware #libresoftware
Game of Trees 0.125 released

ティージェーグレェMay 11
I submitted a Pull Request to update MacPorts' Got (Game of Trees) to -portable 0.125 here:

https://github.com/macports/macports-ports/pull/32664

GitHub Continuous Integration checks passed OK!

It's up to someone else to merge it.

I would submit a story to undeadly, but the site seems to be loading intermittently the past several days. ;( Not sure what is up with that.

#Got #GameOfTrees #MacPorts #VersionControl #OpenSource #Git
got: update to 0.125 by artkiver · Pull Request #32664 · macports/macports-ports

Description Type(s) bugfix enhancement security fix Tested on macOS 26.4.1 25E253 arm64 Command Line Tools 26.4.1.0.1775747724 Verification Have you followed our Commit Message Guideline...

GitHub
Game of Trees HubMay 10

We have awarded our first free VM to Runxi Yu, in return for security issues they found in #GameOfTrees and reported to the project. Thanks!

We recommend updating your got clients to version 0.125 as soon as feasible to prevent potential man-in-the-middle scenarios against your gothub.org server and other Git servers you might be using.

Details here: https://bsd.network/@stsp/116546813289077690

Stefan Sperling (@[email protected])

(EDIT: Fixes for the issue described below, and for a second issue which is more severe, have now been shipped in got and got -portable 0.125) If you are using #gameoftrees (on #OpenBSD or anywhere else) please always be diligent about checking SSH host key fingerprints. Versioned files inside the work tree's meta-data .got directory can be created during 'got checkout' or changed during 'got update'. Files in the meta-data directory should never be under version control, yet the current implementation unfortunately allows this. Which provides a way for malicious repositories to configure remote servers stored in .got/got.conf which would then be used by the fetch and send commands. Unless you already have the bad host key stored, SSH will ask for verification of the bad server's host key fingerprint as the last line of defense against a man-in-the-middle. The problem was reported to me by Runxi Yu about 2 hours ago. A fix for this issue is being worked on: https://marc.gameoftrees.org/mail/1778362202.49408_0.html

BSD Network
Thomas AdamMay 10

#gameoftrees #got #vcs

As per @stsp's announcement:

https://bsd.network/@stsp/116550507403402183

I've also released got's -portable version 0.125

Same features as this version of got; no -portable specific changes in this release.

See: https://gameoftrees.org/portable.html

Usual mirror updated as well.

Any questions about this release, let me know.

Stefan Sperling (@[email protected])

The #Git compatible version control system #GameOfTrees has a new release numbered 0.125. This release ships important fixes for two client-side security issues reported by Runxi Yu: :flan_yikes:​ Arbitrary file overwrite with user permissions via crafted tree object entry names. Anywhere on the filesystem with got-portable, only in /tmp on #OpenBSD. :flan_on_fire:​ Creation of .got/got.conf as a versioned file was possible. This could be abused to add malicious remote server entries to the run-time configuration used during fetch and send operations, potentially resulting in falsified Git history being downloaded. Double-checking unknown SSH host key fingerprints is recommended as a mitigation. Never blindly accept SSH host keys. And avoid cloning and fetching over HTTPS if possible. Thanks to Runxi Yu for spotting and reporting these issues :flan_flowers:​

BSD Network
Stefan SperlingMay 10

The #Git compatible version control system #GameOfTrees has a new release numbered 0.125.

This release ships important fixes for two client-side security issues reported by Runxi Yu:

​ Arbitrary file overwrite with user permissions via crafted tree object entry names. Anywhere on the filesystem with got-portable, only in /tmp on #OpenBSD.

​ Creation of .got/got.conf as a versioned file was possible. This could be abused to add malicious remote server entries to the run-time configuration used during fetch and send operations, potentially resulting in falsified Git history being downloaded. Double-checking unknown SSH host key fingerprints is recommended as a mitigation. Never blindly accept SSH host keys. And avoid cloning and fetching over HTTPS if possible.

Thanks to Runxi Yu for spotting and reporting these issues 

Stefan SperlingMay 9

(EDIT: Fixes for the issue described below, and for a second issue which is more severe, have now been shipped in got and got -portable 0.125)

If you are using #gameoftrees (on #OpenBSD or anywhere else) please always be diligent about checking SSH host key fingerprints.

Versioned files inside the work tree's meta-data .got directory can be created during 'got checkout' or changed during 'got update'. Files in the meta-data directory should never be under version control, yet the current implementation unfortunately allows this.

Which provides a way for malicious repositories to configure remote servers stored in .got/got.conf which would then be used by the fetch and send commands. Unless you already have the bad host key stored, SSH will ask for verification of the bad server's host key fingerprint as the last line of defense against a man-in-the-middle.

The problem was reported to me by Runxi Yu about 2 hours ago. A fix for this issue is being worked on: https://marc.gameoftrees.org/mail/1778362202.49408_0.html

do not allow versioned files in meta-data directories

Show threadティージェーグレェApr 14
Thank you!

I submitted a Pull Request to update MacPorts' Got (Game of Trees) to 0.124 here:

https://github.com/macports/macports-ports/pull/32238

GitHub Continuous Integration checks passed OK!

It's up to someone else with commit access to merge it.

I'm excited about the UTF-8 improvements in this release!

#Got #GameOfTrees #MacPorts #VersionControl #Git #OpenSource
got: update to 0.124 by artkiver · Pull Request #32238 · macports/macports-ports

Description Type(s) bugfix enhancement security fix Tested on macOS 26.4.1 25E253 arm64 Command Line Tools 26.4.0.0.1774242506 Verification Have you followed our Commit Message Guideline...

GitHub
Thomas AdamApr 14

#got #gameoftrees

I've released got-portable 0.124 in line with upstream got.

No -portable changes, and for anything more general, have a look at got's release notes:

https://gameoftrees.org/releases/changes.html#2026-04-13

For the -portable bits, see:

https://gameoftrees.org/portable.html

Any issues/questions, please let me know!

Now shut up and hack!

Game of Trees Changes

Game of Trees Changelog