fix gotd sometimes reading reused deltas from wrong pack file The reuse-pack is pinned but may change its cache slot while objects are being deltified. Refresh the pointer to the pinned reuse-pack before writing out the pack file, ensuring that reused deltas will in fact be read from the reuse-pack and not some other pack. Otherwise gotd may send a broken pack file, or hit an ERR_RANGE condition if the pack file which now occupies the pinned-pack's old cache slot is shorter. Which can trigger attempts to read beyond end-of-file which show up in the logs like this: gotd[37311]: repo_read /var/git/got.git: sending packfile: value out of range gotd[43877]: uid 1002: value out of range gotd[43877]: uid 1002: disconnecting

properly initialize csum struct in write_packed_object() fixes send.sh test fallout on arm64 and should also fix i386 ok op@

add some helper functions to compute hashes This adds a set of functions to abstract over SHA1Init, SHA1Update, SHA1Final, their respective SHA256 variants and how to compare digests. Replace all the SHA1*() usage with the new APIs. It's a preparatory step for sha256 handling. ok stsp@

include sha2.h too where sha1.h is included In preparation for wide sha256 support; stsp@ agrees. Change done mechanically with find . -iname \*.[cy] -exec sam {} + X ,x/<sha1\.h>/i/\n#include <sha2.h>

gotadmin pack: add a -D flag to force using ref-delta Intended mostly for the regress suite, so we'll be able to test also the ref-delta code paths. ok stsp@

avoid copying reused deltas to delta cache file; copy from pack file instead ok op@

introduce gotd(8), a Git repository server reachable via ssh(1) This is an initial barebones implementation which provides the absolute minimum of functionality required to serve got(1) and git(1) clients. Basic fetch/send functionality has been tested and seems to work here, but this server is not yet expected to be stable. More testing is welcome. See the man pages for setup instructions. The current design uses one reader and one writer process per repository, which will have to be extended to N readers and N writers in the future. At startup, each process will chroot(2) into its assigned repository. This works because gotd(8) can only be started as root, and will then fork+exec, chroot, and privdrop. At present the parent process runs with the following pledge(2) promises: "stdio rpath wpath cpath proc getpw sendfd recvfd fattr flock unix unveil" The parent is the only process able to modify the repository in a way that becomes visible to Git clients. The parent uses unveil(2) to restrict its view of the filesystem to /tmp and the repositories listed in the configuration file gotd.conf(5). Per-repository chroot(2) processes use "stdio rpath sendfd recvfd". The writer defers to the parent for modifying references in the repository to point at newly uploaded commits. The reader is fine without such help, because Git repositories can be read without having to create any lock-files. gotd(8) requires a dedicated user ID, which should own repositories on the filesystem, and a separate secondary group, which should not have filesystem-level repository access, and must be allowed access to the gotd(8) socket. To obtain Git repository access, users must be members of this secondary group, and must have their login shell set to gotsh(1). gotsh(1) connects to the gotd(8) socket and speaks Git-protocol towards the client on the other end of the SSH connection. gotsh(1) is not an interactive command shell. At present, authenticated clients are granted read/write access to all repositories and all references (except for the "refs/got/" and the "refs/remotes/" namespaces, which are already being protected from modification). While complicated access control mechanism are not a design goal, making it possible to safely offer anonymous Git repository access over ssh(1) is on the road map.

let callers of got_pack_create() configure rate-limiting of progress reporting Needed by future gotd(8), where progress reports will be sent to a network socket, rather than a local terminal.

move privsep code from pack_create.c into new file pack_create_privsep.c Needed by future gotd(8). ok op@

move got_opentempfd() call out of got_pack_create() Future gotd(8) needs to run got_pack_create() in a chroot environment, so we can no longer open new temporary files inside got_pack_create(). ok op@

make got_pack_create() write to a file descriptor instead of a stdio FILE The old code required a seekable output file. This conflicts with requirements of future gotd(8), which will write pack file data to network sockets. ok op@

remove trailing whitespace; patch by Josiah Frentsos

mark got_error_fmt as printf-like and fix the arisen errors ok stsp@

implement support for commit coloring in got-read-pack for speed ok op, tracey

build with -Wwrite-strings Throwing this into the mix for a while, we can always get rid of it again if it becomes annoying. No objections from stsp@