@@ -156,7 +156,7 @@ Performance, Internal Implementation, Development Support etc.
156156 barrier to adoption.
157157
158158 * The final leg of SHA-256 transition plus doc updates. Note that
159- there is no inter-operability between SHA-1 and SHA-256
159+ there is no interoperability between SHA-1 and SHA-256
160160 repositories yet.
161161
162162 * CMake support to build with MSVC for Windows bypassing the Makefile.
@@ -184,10 +184,6 @@ Performance, Internal Implementation, Development Support etc.
184184 the ref backend in use, as its format is much richer than the
185185 normal refs, and written directly by "git fetch" as a plain file..
186186
187- * A handful of places in in-tree code still relied on being able to
188- execute the git subcommands, especially built-ins, in "git-foo"
189- form, which have been corrected.
190-
191187 * An unused binary has been discarded, and and a bunch of commands
192188 have been turned into into built-in.
193189
@@ -216,10 +212,25 @@ Performance, Internal Implementation, Development Support etc.
216212 * "diff-highlight" (in contrib/) had a logic to flush its output upon
217213 seeing a blank line but the way it detected a blank line was broken.
218214
215+ * The logic to skip testing on the tagged commit and the tag itself
216+ was not quite consistent which led to failure of Windows test
217+ tasks. It has been revamped to consistently skip revisions that
218+ have already been tested, based on the tree object of the revision.
219+
219220
220221Fixes since v2.28
221222-----------------
222223
224+ * The "mediawiki" remote backend which lives in contrib/mw-to-git/
225+ and is not built with git by default, had an RCE bug allowing a
226+ malicious MediaWiki server operator to inject arbitrary commands
227+ for execution by a cloning client. This has been fixed.
228+
229+ The bug was discovered and reported by Joern Schneeweisz of GitLab
230+ to the git-security mailing list. Its practical impact due to the
231+ obscurity of git-remote-mediawiki was deemed small enough to forgo
232+ a dedicated security release.
233+
223234 * "git clone --separate-git-dir=$elsewhere" used to stomp on the
224235 contents of the existing directory $elsewhere, which has been
225236 taught to fail when $elsewhere is not an empty directory.
@@ -355,16 +366,13 @@ Fixes since v2.28
355366 "git log --tags=no-tag-matches-this-pattern" does.
356367 (merge 04a0e98515 jk/rev-input-given-fix later to maint).
357368
358- * Various callers of run_command API has been modernized.
369+ * Various callers of run_command API have been modernized.
359370 (merge afbdba391e jc/run-command-use-embedded-args later to maint).
360371
361372 * List of options offered and accepted by "git add -i/-p" were
362373 inconsistent, which have been corrected.
363374 (merge ce910287e7 pw/add-p-allowed-options-fix later to maint).
364375
365- * Various callers of run_command API has been modernized.
366- (merge afbdba391e jc/run-command-use-embedded-args later to maint).
367-
368376 * "git diff --stat -w" showed 0-line changes for paths whose changes
369377 were only whitespaces, which was not intuitive. We now omit such
370378 paths from the stat output.
@@ -381,7 +389,7 @@ Fixes since v2.28
381389 information (e.g. "@{u}" does not record what branch the user was
382390 on hence which branch 'the upstream' needs to be computed, and even
383391 if the record were available, the relationship between branches may
384- have changed), at least hide the error to allow "status" show its
392+ have changed), at least hide the error and allow "status" to show its
385393 output.
386394
387395 * "git status --short" quoted a path with SP in it when tracked, but
@@ -398,7 +406,7 @@ Fixes since v2.28
398406 (merge 378fe5fc3d mt/config-fail-nongit-early later to maint).
399407
400408 * There is a logic to estimate how many objects are in the
401- repository, which is mean to run once per process invocation, but
409+ repository, which is meant to run once per process invocation, but
402410 it ran every time the estimated value was requested.
403411 (merge 67bb65de5d jk/dont-count-existing-objects-twice later to maint).
404412
@@ -411,8 +419,8 @@ Fixes since v2.28
411419 which has been corrected.
412420 (merge 4e735c1326 ar/fetch-ipversion-in-all later to maint).
413421
414- * The "unshelve" subcommand of "git p4" used incorrectly used
415- commit^N where it meant to say commit~N to name the Nth generation
422+ * The "unshelve" subcommand of "git p4" incorrectly used commit^N
423+ where it meant to say commit~N to name the Nth generation
416424 ancestor, which has been corrected.
417425 (merge 0acbf5997f ld/p4-unshelve-fix later to maint).
418426
0 commit comments