summaryrefslogtreecommitdiff
path: root/NEWS
diff options
context:
space:
mode:
authorJoeyHess <>2018-06-26 16:03:00 (GMT)
committerhdiff <hdiff@hdiff.luite.com>2018-06-26 16:03:00 (GMT)
commit2cdd87347d8d7aa238de5d163e78cae1d3a12c85 (patch)
tree5f4cd7526be5ce21f5c9ab0fc4c4887f2f325496 /NEWS
parent9ac5de07ccf351b09ffb9ad922ee85fe22fcfea6 (diff)
version 6.201806266.20180626
Diffstat (limited to 'NEWS')
-rw-r--r--NEWS26
1 files changed, 26 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index a127219..f757a23 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,29 @@
+git-annex (6.20180626) upstream; urgency=high
+
+ A security fix has changed git-annex to refuse to download content from
+ some special remotes when the content cannot be verified with a hash check.
+ In particular URL and WORM keys stored on such remotes won't be downloaded.
+ See the documentation of the annex.security.allow-unverified-downloads
+ configuration for how to deal with this if it affects your files.
+
+ A security fix has changed git-annex to only support http, https, and ftp
+ URL schemes by default. You can enable other URL schemes, at your own risk,
+ using annex.security.allowed-url-schemes.
+
+ A related security fix prevents git-annex from connecting to http
+ servers (and proxies) on localhost or private networks. This can
+ be overridden, at your own risk, using annex.security.allowed-http-addresses.
+
+ Setting annex.web-options no longer is enough to make curl be used,
+ and youtube-dl is also no longer used by default. See the
+ documentation of annex.security.allowed-http-addresses for
+ details and how to enable them.
+
+ The annex.web-download-command configuration has been removed,
+ use annex.web-options instead.
+
+ -- Joey Hess <id@joeyh.name> Fri, 15 Jun 2018 17:54:23 -0400
+
git-annex (6.20180309) upstream; urgency=medium
Note that, due to not using rsync to transfer files over ssh