Peter N. M. Hansteen
ティージェーグレェI submitted a Pull Request to update MacPorts' Got (Game of Trees) to -portable 0.126 here:
https://github.com/macports/macports-ports/pull/32809
GitHub's Continuous Integration checks passed!
it's up to someone else with commit access to merge it.
I also submitted a story to undeadly.org though I will let one of the other editors publish it after review as a sanity check. I think I corrected all my typos and HTML tags yet at least a second set of eyes is good idea.
#Got #GameOfTrees #MacPorts #VersionControl #OpenSource #Git
Thomas AdamI've released got's -portable version 0.126
Same features as this version of got; no -portable specific changes in this release.
See: https://gameoftrees.org/portable.html
Usual mirror updated as well.
Any questions about this release, let me know.
Stefan SperlingI have finished up and merged the sha256 network support work which was started by @op some time ago.
Which means the next release of #GameOfTrees will support cloning, fetching, and sending changes from/to SHA256-capable #Git servers (such as @forgejo).
Server-side support will need more work still so this won't immediately allow @gothub to host SHA256 repositories. But we also want to get that working eventually.
Happy hacking 
Game of Trees HubAll our hosted VMs have been updated to #GameOfTrees 0.125, with additional fixes relevant to repositories which make extensive use of merge commits in their #Git workflow (which seems to be the exception at present).
In case you ever run into errors about missing objects while fetching or sending please contact us here, or on IRC, or by email, and we will work it out. The cause for such problems is now well understood, the gotd server running on gothub.org VMs has been fixed, and we know how to repair affected repositories.
Dave 🌱#Microsoft has been passionately ruining everything #GitHub was to many, duct taping #LLM slop anywhere and everywhere. And #GitLab looks at this and thinks... Yeah, let's do that too, that looks awesome?
This is pathetic.
I guess all hope for open source and hopefully slop-free solutions that can help build and maintain communities around code now really truly lie with #Forgejo, #SourceHut, #GameOfTrees, and something like #cgit I suppose? But for how long will that remain true?
Damn.
This is pathetic.
I guess all hope for open source and hopefully slop-free solutions that can help build and maintain communities around code now really truly lie with #Forgejo, #SourceHut, #GameOfTrees, and something like #cgit I suppose? But for how long will that remain true?
Damn.
I submitted a Pull Request to update MacPorts' Got (Game of Trees) to -portable 0.125 here:
https://github.com/macports/macports-ports/pull/32664
GitHub Continuous Integration checks passed OK!
It's up to someone else to merge it.
I would submit a story to undeadly, but the site seems to be loading intermittently the past several days. ;( Not sure what is up with that.
#Got #GameOfTrees #MacPorts #VersionControl #OpenSource #Git
https://github.com/macports/macports-ports/pull/32664
GitHub Continuous Integration checks passed OK!
It's up to someone else to merge it.
I would submit a story to undeadly, but the site seems to be loading intermittently the past several days. ;( Not sure what is up with that.
#Got #GameOfTrees #MacPorts #VersionControl #OpenSource #Git
We have awarded our first free VM to Runxi Yu, in return for security issues they found in #GameOfTrees and reported to the project. Thanks!
We recommend updating your got clients to version 0.125 as soon as feasible to prevent potential man-in-the-middle scenarios against your gothub.org server and other Git servers you might be using.
Details here: https://bsd.network/@stsp/116546813289077690
Stefan Sperling (@[email protected])
(EDIT: Fixes for the issue described below, and for a second issue which is more severe, have now been shipped in got and got -portable 0.125) If you are using #gameoftrees (on #OpenBSD or anywhere else) please always be diligent about checking SSH host key fingerprints. Versioned files inside the work tree's meta-data .got directory can be created during 'got checkout' or changed during 'got update'. Files in the meta-data directory should never be under version control, yet the current implementation unfortunately allows this. Which provides a way for malicious repositories to configure remote servers stored in .got/got.conf which would then be used by the fetch and send commands. Unless you already have the bad host key stored, SSH will ask for verification of the bad server's host key fingerprint as the last line of defense against a man-in-the-middle. The problem was reported to me by Runxi Yu about 2 hours ago. A fix for this issue is being worked on: https://marc.gameoftrees.org/mail/1778362202.49408_0.html
As per @stsp's announcement:
https://bsd.network/@stsp/116550507403402183
I've also released got's -portable version 0.125
Same features as this version of got; no -portable specific changes in this release.
See: https://gameoftrees.org/portable.html
Usual mirror updated as well.
Any questions about this release, let me know.
Stefan Sperling (@[email protected])
The #Git compatible version control system #GameOfTrees has a new release numbered 0.125. This release ships important fixes for two client-side security issues reported by Runxi Yu: :flan_yikes: Arbitrary file overwrite with user permissions via crafted tree object entry names. Anywhere on the filesystem with got-portable, only in /tmp on #OpenBSD. :flan_on_fire: Creation of .got/got.conf as a versioned file was possible. This could be abused to add malicious remote server entries to the run-time configuration used during fetch and send operations, potentially resulting in falsified Git history being downloaded. Double-checking unknown SSH host key fingerprints is recommended as a mitigation. Never blindly accept SSH host keys. And avoid cloning and fetching over HTTPS if possible. Thanks to Runxi Yu for spotting and reporting these issues :flan_flowers: