Upgrade JGit to 4.5.5.201812240535-r
This release fixes an issue where AdvertiseRefsHook was not called for
git-upload-pack in protocol v0 bidirectional transports, meaning that
wants aren't validated and a user can fetch anything that is pointed
to by any ref (using fetch-by-sha1), as long as they can guess the
object name.
Bug: Issue 10262
Change-Id: I5c1af5c7c549e1796fe6347c1ec08797471393a1
diff --git a/lib/jgit/BUCK b/lib/jgit/BUCK
index b6dd17d..8c9e1c6 100644
--- a/lib/jgit/BUCK
+++ b/lib/jgit/BUCK
@@ -1,16 +1,17 @@
include_defs('//lib/maven.defs')
-REPO = MAVEN_CENTRAL # Leave here even if set to MAVEN_CENTRAL.
-VERS = '4.5.4.201711221230-r'
+REPO = ECLIPSE # Leave here even if set to MAVEN_CENTRAL.
+VERS = '4.5.5.201812240535-r'
maven_jar(
name = 'jgit',
id = 'org.eclipse.jgit:org.eclipse.jgit:' + VERS,
- bin_sha1 = 'b30f322c7d441260f4fa454ce5de65cf7e961274',
- src_sha1 = '459f648f8bbf10e1aa0b122d4f9919e1779922e9',
+ bin_sha1 = '1dac8dd7deb4ec72939fe30cd6fd57c22fd4a403',
+ src_sha1 = '6c5fe5a2bd6b12571d15984916463f2f28223a93',
license = 'jgit',
unsign = True,
deps = [':ewah'],
+ repository = REPO,
exclude = [
'META-INF/eclipse.inf',
'about.html',
@@ -21,9 +22,10 @@
maven_jar(
name = 'jgit-servlet',
id = 'org.eclipse.jgit:org.eclipse.jgit.http.server:' + VERS,
- sha1 = '264fac29b6007146127156113ed3d4e0aa922b39',
+ sha1 = '6498fa4f4bd5db11d3069952540b68a9aef024c2',
license = 'jgit',
deps = [':jgit'],
+ repository = REPO,
unsign = True,
exclude = [
'about.html',
@@ -34,12 +36,13 @@
maven_jar(
name = 'jgit-archive',
id = 'org.eclipse.jgit:org.eclipse.jgit.archive:' + VERS,
- sha1 = '6b0b919ee42bf8276193c3c03581634bc3aa7e18',
+ sha1 = 'd64327d788ae43d79eb4e42d2432646c7b485789',
license = 'jgit',
deps = [':jgit',
'//lib/commons:compress',
'//lib:tukaani-xz',
],
+ repository = REPO,
unsign = True,
exclude = [
'about.html',
@@ -50,10 +53,11 @@
maven_jar(
name = 'junit',
id = 'org.eclipse.jgit:org.eclipse.jgit.junit:' + VERS,
- sha1 = '58ca0a0fba72f2db6e6b27bd464dc44a946a617c',
+ sha1 = '50c36e367e7df961c1acc9308b7d52ea21a73d91',
license = 'DO_NOT_DISTRIBUTE',
unsign = True,
deps = [':jgit'],
+ repository = REPO,
)
maven_jar(
diff --git a/lib/maven.defs b/lib/maven.defs
index 7f0bc1d..1b36fdb 100644
--- a/lib/maven.defs
+++ b/lib/maven.defs
@@ -13,6 +13,7 @@
# limitations under the License.
ATLASSIAN = 'ATLASSIAN:'
+ECLIPSE = 'ECLIPSE:'
GERRIT = 'GERRIT:'
GERRIT_API = 'GERRIT_API:'
ECLIPSE = 'ECLIPSE:'
diff --git a/tools/util.py b/tools/util.py
index ceb89ad..fb49664 100644
--- a/tools/util.py
+++ b/tools/util.py
@@ -23,6 +23,7 @@
REPO_ROOTS = {
'ATLASSIAN': 'https://maven.atlassian.com/content/repositories/atlassian-3rdparty',
+ 'ECLIPSE': 'https://repo.eclipse.org/content/groups/releases',
'GERRIT': 'http://gerrit-maven.storage.googleapis.com',
'GERRIT_API': 'https://gerrit-api.commondatastorage.googleapis.com/release',
'ECLIPSE': 'https://repo.eclipse.org/content/groups/releases',