commit c411e47788a36e7ef784414dcb9ecc54f809c0de
author David Ostrovsky <david@ostrovsky.org> Thu Dec 27 20:08:46 2018 +0100
committer David Pursehouse <dpursehouse@collab.net> Fri Jan 11 05:13:30 2019 +0000
tree 21c128b421b7f754c19981193a3614bc5f79a4b8
parent a927d62c1505610394a3ec8d0e5fb77f366cf4dc

Upgrade JGit to 5.2.1.201812262042-r

This release fixes an issue where AdvertiseRefsHook was not called for
git-upload-pack in protocol v0 stateless transports, meaning that
wants aren't validated and a user can fetch anything that is pointed
to by any ref (using fetch-by-sha1), as long as they can guess the
object name.

Bug: Issue 10262
Change-Id: I1018c6fcb5cd4e34d2b106929db3a8238f45cda0

lib/jgit/jgit.bzl

diff --git a/lib/jgit/jgit.bzl b/lib/jgit/jgit.bzl
index 4c576586..33489a2 100644
--- a/lib/jgit/jgit.bzl
+++ b/lib/jgit/jgit.bzl
@@ -1,12 +1,12 @@
-load("//tools/bzl:maven_jar.bzl", "GERRIT", "MAVEN_CENTRAL", "MAVEN_LOCAL", "maven_jar")
+load("//tools/bzl:maven_jar.bzl", "ECLIPSE", "GERRIT", "MAVEN_CENTRAL", "MAVEN_LOCAL", "maven_jar")
 
-_JGIT_VERS = "5.2.0.201812061821-r"
+_JGIT_VERS = "5.2.1.201812262042-r"
 
 _DOC_VERS = _JGIT_VERS  # Set to _JGIT_VERS unless using a snapshot
 
 JGIT_DOC_URL = "http://download.eclipse.org/jgit/site/" + _DOC_VERS + "/apidocs"
 
-_JGIT_REPO = MAVEN_CENTRAL  # Leave here even if set to MAVEN_CENTRAL.
+_JGIT_REPO = ECLIPSE  # Leave here even if set to MAVEN_CENTRAL.
 
 # set this to use a local version.
 # "/home/<user>/projects/jgit"
@@ -40,28 +40,28 @@
         name = "jgit-lib",
         artifact = "org.eclipse.jgit:org.eclipse.jgit:" + _JGIT_VERS,
         repository = _JGIT_REPO,
-        sha1 = "250269f30458084777a480895e390d2a42143da3",
-        src_sha1 = "eb28d59b3ed0c68a8ba54a38dfb7aa8af6ce624b",
+        sha1 = "34914e63e1463e40ba40e2e28b0392993ea3b938",
+        src_sha1 = "b1c9e2ae01dd31ab4957de54756ec11acc99bb30",
         unsign = True,
     )
     maven_jar(
         name = "jgit-servlet",
         artifact = "org.eclipse.jgit:org.eclipse.jgit.http.server:" + _JGIT_VERS,
         repository = _JGIT_REPO,
-        sha1 = "5d7fbe1c8528d881e2987c75e512df2cfa408d73",
+        sha1 = "18c8938c4d8966abed84fc9de6c09aaea8cc8d87",
         unsign = True,
     )
     maven_jar(
         name = "jgit-archive",
         artifact = "org.eclipse.jgit:org.eclipse.jgit.archive:" + _JGIT_VERS,
         repository = _JGIT_REPO,
-        sha1 = "6e49b0516b46ca90d394256d40c6069cdd8f2957",
+        sha1 = "08c945bc664e4efe0d0e9a878f96505076da2ca9",
     )
     maven_jar(
         name = "jgit-junit",
         artifact = "org.eclipse.jgit:org.eclipse.jgit.junit:" + _JGIT_VERS,
         repository = _JGIT_REPO,
-        sha1 = "723b9e6c54f8b3012dd7d4fe42b616b8d10ee230",
+        sha1 = "5a5fb36517cb05ca51cbb1f00a520142dc83f793",
         unsign = True,
     )
 

tools/bzl/maven_jar.bzl

diff --git a/tools/bzl/maven_jar.bzl b/tools/bzl/maven_jar.bzl
index 2ebb2c2..b284d0c 100644
--- a/tools/bzl/maven_jar.bzl
+++ b/tools/bzl/maven_jar.bzl
@@ -6,6 +6,8 @@
 
 MAVEN_LOCAL = "MAVEN_LOCAL:"
 
+ECLIPSE = "ECLIPSE:"
+
 def _maven_release(ctx, parts):
     """induce jar and url name from maven coordinates."""
     if len(parts) not in [3, 4]:

tools/util.py

diff --git a/tools/util.py b/tools/util.py
index 45d0541..3817f75 100644
--- a/tools/util.py
+++ b/tools/util.py
@@ -15,6 +15,7 @@
 from os import path
 
 REPO_ROOTS = {
+    'ECLIPSE': 'https://repo.eclipse.org/content/groups/releases',
     'GERRIT': 'http://gerrit-maven.storage.googleapis.com',
     'GERRIT_API':
         'https://gerrit-api.commondatastorage.googleapis.com/release',