split gotd/session.c into session_read.c and session_write.c This makes it easier to tweak the read/write code paths separately.

get rid of gotd client_id field where it is not needed This ID was necessary back when session and repo processes supported connections from multiple clients. Nowadays, these processes run per connection and exit once a single client session has been served. The other processes already identify the client via the session/repo file descriptor which has sent an imsg.

add initial support for commit notifications to gotd(8) At present only email notifications are implemented. Code for HTTP notifications is not yet finished, hence HTTP-related documentation remains hidden for now. This adds a new 'notify' process which has an "exec" pledge. It runs helper programs which implement the notification transport layer, such as got-notify-email which speaks SMTP. This design avoids having to link all of gotd with network libraries and related crypto libraries. Notification content is generated by the 'repo_write' process. Commit log messages and diffstats are written to a file which the 'notify' process will pass on to its helpers on stdin. The default output looks similar to 'got log -d'. If too many new commits are present the output looks similar to 'got log -s' instead. Tags always look like 'got tag -l'. The session process coordinates generation of notifications. It maintains a notification queue which holds one notification per updated reference, and passes notification requests from this queue to the 'repo_write' process for notification content creation and then to the 'notify' process for notification delivery. Only one notification can be in flight at a time to avoid file descriptor starvation if many references get updated in a single client session. ok op@

convert to use imsg_get_fd() While here also fix a fd leak in got-read-pack. We were dup'ing imsg.fd without closing imsg.fd later; instead just use imsg_get_fd() to extract the file descriptor. Tested by falsifian and Kyle Ackerman, thanks! 'go ahead' stsp@

fix swapped format string arguments in gotd verify_imsg_src()

make the gotd auth process provide the user's account name for later use with tweaks from + ok op@

allow gotd repo read/write processes to max out data-size resource limits Proccessing large pack files can easily result in out-of-memory errors if the datasize limit is too conservative.

gotd: stop logging "unexpected end of file" when a client decides to disconnect

fix typo in a comment

make gitwrapper ignore 'permission denied' for repository paths We recommend that gotsh users should not have direct filesystem access to repositories served by gotd. Which means admins will be setting things up as follows if public read-access should be denied: chown _gotd /git chmod 700 /git su -m _gotd -c 'gotadmin init /git/repo.git" However, gitwrapper would error out when repositories listed in gotd.conf were inaccessible to the user invoking gitwrapper: git-upload-pack: /etc/gotd.conf:2: realpath /git/repo.git: Permission denied Make gitwrapper ignore such errors as they are expected in this situation. While here, add a PROC_GITWRAPPER process ID for use as a global variable parse.y can check while special-casing any specific behaviour required by gitwrapper. (The worse alternative would have been adding a new global variable to parse.y just to control the behaviour on realpath errors.) ok op@

gotd: wait asynchronously for children termination Instead of the current kill() + waitpid(WNOHANG), manage the subprocesses in a separate queue and handle SIGCHLD. A timer is installed to ensure that misbehaving subprocesses are still killed. Fixes the current "child PID 0 terminated" logs due to races with waitpid(). Issue initially reported by Josiah Frentsos. ok + tweaks stsp@

add kill_repo_proc() similarly to the other kill_*_proc() ok stsp@

missing semicolon... sigh I can't assume I can blindly add one simple line.

move gotd_child_proc to gotd.c make it opaque since it's unused outside of gotd.c. While here, drop the unused `nhelpers' field. ok/tweak stsp@

update gotd_proc_names after session process unveil changes fixes "proc (null)" appearing in gotd logs

unveil repositories read-only in gotd session process while serving fetches ok op@

gotd: return early after disconnect on auth event error This fixes a segv reported by Mikhail. In this path, any error is already logged, client freed, and event_del() called so we don't need to cleanup in done. ok stsp@

add support for protecting references against 'got send -f' to gotd ok op@

avoid gitwrapper printing a warning when /etc/gotd.conf does not exist gotd still requires the config file, of course, but gitwrapper must treat is as optional and remain silent if the file cannot be found.

add gitwrapper(1) ok op@, tracey@ earlier version

rename lib/sha1.c to lib/hash.c It will soon grow functions to deal with sha256 too. stsp@ agrees.

include sha2.h too where sha1.h is included In preparation for wide sha256 support; stsp@ agrees. Change done mechanically with find . -iname \*.[cy] -exec sam {} + X ,x/<sha1\.h>/i/\n#include <sha2.h>

fix gotd segfault in libevent while disconnecting clients Sending a DISCONNECT message to the repo process and then killing it and freeing its structure won't work. The message ends up on internal libevent queues and will soon crash because we have freed the memory for the event structre. Sending that message is a leftover from the times when the repo procs were persistent.

fix gotd and gotsh usage() function declaration "function declaration isn't a prototype" should fix the error seen by tracey@ on sparc64

make gotd parent dispatch handlers more robust during teardown We have observed gotd exiting after "cannot find client for fd N" errors. If this occurs then we are likely in the process of disconnecting a client session while processing an event from a child process. Treat the above error as non-fatal and stop processing more events from the child process.