This relates to https://gist.github.com/EliahKagan/cf7f0063d67c08a67747036bb000f8b9.
many_different_states fails on Windows with GIX_TEST_IGNORE_ARCHIVES=1 |
These are gitoxide test runs with
GIX_TEST_IGNORE_ARCHIVES=1 cargo nextest run --all --no-fail-fast
on Windows 10 64-bit (with developer mode enabled, i.e., unprivileged symlink creattion).
This is a rerun after Byron/gitoxide#1441 and can be compared to https://gist.github.com/EliahKagan/03e2e2d06299c5ba13837f327afa8536, which is linked from Byron/gitoxide#1358. There is one new test failure:
This is a draft, not in its final form, of a comment in Byron/gitoxide#1437. At minimum the forthcoming PRs need to be opened and their PR numbers filled in.
This adds notices for the Windows device name handling vulnerability CVE-2024-35197 (https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9). This is a separate vulnerability from the one that # is about—and I cannot open a single PR for both because they both have RUSTSEC-0000-0000.md
files in two of the same locations until IDs are assigned—but it is likewise discussed in Byron/gitoxide#1437 (cc @Byron).
The advisory text (long description) is what I wrote for https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9 and is essentially the same as in the global advisory. This is analogous to the situation in #, albeit for different advisories/vulnerabilities. Both there and here, it is and has always been my intention that this text be dedicated to the public domain (with CC0).
Some of the same considerations there apply here as well, su
This adds notices for the directory traversal vulnerability CVE-2024-35186 (https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c), as discussed in Byron/gitoxide#1437 (cc @Byron). The gitoxide project is divided into a substantial number of crates, and multiple crates are affected, in the sense of containing code that needed to be changed to fix the vulnerability.
This PR proposes notices for only three of the seven crates listed as affected in https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c. I believe these to be the primary affected crates, such that the other crates are mainly affected due to their use of the primary affected crates (though their code also had to be changed to fit the new API). This is in accordance with my extrapolation of the guidance given in rustsec/advisory-db#1703 (comment) and rustsec/advisory-db#1705 (comment), but I am not certa
cargo install gitoxide --no-default-features --features 'max-control,gix-features/zlib-stock,gitoxide-core-blocking-client,http-client-curl' |
diskpart | |
select disk 0 | |
convert gpt | |
create partition primary | |
select partition 1 | |
format fs=ntfs quick | |
assign letter=C: |
The "before" run, run-1-before-change.txt
, is without a change I am proposing. The build fails due to a compile error in a test in gix-revision
.
The "after" run, run-2-after-change.txt
, is with the proposed change. 28 tests fail, but all crates' tests are able to be compiled and attempted.
PS C:\Users\ek> cargo install gitoxide --no-default-features --features 'max-control,gix-features/zlib-stock,gitoxide-core-blocking-client,http-client-curl' | |
Updating crates.io index | |
Installing gitoxide v0.36.0 | |
Updating crates.io index | |
Locking 293 packages to latest compatible versions | |
Adding bitflags v1.3.2 (latest: v2.6.0) | |
Adding crosstermion v0.13.0 (latest: v0.14.0) | |
Adding dashmap v5.5.3 (latest: v6.0.1) | |
Adding env_logger v0.10.2 (latest: v0.11.3) | |
Adding hashbrown v0.12.3 (latest: v0.14.5) |