Game of Trees 0.126 released https://www.undeadly.org/cgi?action=article;sid=20260523115158 #openbsd #gameoftrees #got #git #development #versioncontrol #sourcecontrol #programming #freesoftware #libresoftware

I have finished up and merged the sha256 network support work which was started by @op some time ago.

Which means the next release of #GameOfTrees will support cloning, fetching, and sending changes from/to SHA256-capable #Git servers (such as @forgejo).

Server-side support will need more work still so this won't immediately allow @gothub to host SHA256 repositories. But we also want to get that working eventually.

Happy hacking ​

All our hosted VMs have been updated to #GameOfTrees 0.125, with additional fixes relevant to repositories which make extensive use of merge commits in their #Git workflow (which seems to be the exception at present).

In case you ever run into errors about missing objects while fetching or sending please contact us here, or on IRC, or by email, and we will work it out. The cause for such problems is now well understood, the gotd server running on gothub.org VMs has been fixed, and we know how to repair affected repositories.

We have awarded our first free VM to Runxi Yu, in return for security issues they found in #GameOfTrees and reported to the project. Thanks!

We recommend updating your got clients to version 0.125 as soon as feasible to prevent potential man-in-the-middle scenarios against your gothub.org server and other Git servers you might be using.

Details here: https://bsd.network/@stsp/116546813289077690

The #Git compatible version control system #GameOfTrees has a new release numbered 0.125.

This release ships important fixes for two client-side security issues reported by Runxi Yu:

​ Arbitrary file overwrite with user permissions via crafted tree object entry names. Anywhere on the filesystem with got-portable, only in /tmp on #OpenBSD.

​ Creation of .got/got.conf as a versioned file was possible. This could be abused to add malicious remote server entries to the run-time configuration used during fetch and send operations, potentially resulting in falsified Git history being downloaded. Double-checking unknown SSH host key fingerprints is recommended as a mitigation. Never blindly accept SSH host keys. And avoid cloning and fetching over HTTPS if possible.

Thanks to Runxi Yu for spotting and reporting these issues ​

(EDIT: Fixes for the issue described below, and for a second issue which is more severe, have now been shipped in got and got -portable 0.125)

If you are using #gameoftrees (on #OpenBSD or anywhere else) please always be diligent about checking SSH host key fingerprints.

Versioned files inside the work tree's meta-data .got directory can be created during 'got checkout' or changed during 'got update'. Files in the meta-data directory should never be under version control, yet the current implementation unfortunately allows this.

Which provides a way for malicious repositories to configure remote servers stored in .got/got.conf which would then be used by the fetch and send commands. Unless you already have the bad host key stored, SSH will ask for verification of the bad server's host key fingerprint as the last line of defense against a man-in-the-middle.

The problem was reported to me by Runxi Yu about 2 hours ago. A fix for this issue is being worked on: https://marc.gameoftrees.org/mail/1778362202.49408_0.html