On Tue, Dec 30, 2014 at 08:13:08AM -0800, tony mancill wrote: > On 12/30/2014 05:18 AM, Emmanuel Bourg wrote: > > Here are the relevant commits to backport: > > > > Always ignore case when forbidding .git in ObjectChecker > > https://github.com/eclipse/jgit/commit/07612a6 > > > > Disallow ".git." and ".git<space>" > > https://github.com/eclipse/jgit/commit/10310bf > > > > Disallow Windows shortname "GIT~1" > > https://github.com/eclipse/jgit/commit/a09b1b6 > > > > Disallow names potentially mapping to ".git" on HFS+ > > https://github.com/eclipse/jgit/commit/d476d2f > > I spent some time looking at this too, but from the perspective of what > upstream release branches have these commits. > > They are on stable-3.4, which is version 3.4.2 (and is the closest to > 3.4.0, which is what we have in jessie/sid), but upstream didn't apply > them to stable-2.0 (wheezy). So I think the patches will need to be > cherry-picked or hand-applied to our source versions. > > We'll also need to create security-${RELEASE} branches in the pkg-java > repo for this, as 3.5.2 has already been staged on master. > > I do wonder how many of our users are running case-insensitive file > systems though...
Can we please get that fixed in jessie? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org