Merged
Conversation
The patches in this directory are exported via `git format-patch`
from Git commits. Sadly, those Git commits' OIDs are written part of
the `.patch` file contents. Even more sadly, the exact OIDs depend on
the committer as well as the author information. And while the author
information is encoded in the.patch files, the committer information
is obviously not included. That makes those commit OIDs very unstable,
which means that once another person exports them, they differ.
To help with this, I re-imported those patches into a fresh Git
repository in `src/playground/`, after using the `import-tars.perl`
script from Git's `contrib/fast-import/` directory:
/path/to/import-tars.perl ../curl-8.19.0.tar.bz2
I then ensured that the commit OIDs are stable by forcing the committer
information to match the author information:
git fast-export --no-data HEAD |
awk '/^author /{a=$0} /^committer /{$0="committer " substr(a,8)} 1' |
git fast-import --force --quiet
This way, the next time somebody else needs to extend or modify the
patch set, they can end up with identical commit OIDs.
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
When users choose Kerberos as authentication method, little do they know that there's a provision to fall back to the very weak NTLM authentication instead of using the otherwise quite strong Kerberos authentication methods. The mechanism to choose e.g. NTLM is called "SPNEGO". By somewhat lucky happenstance, a recent security fix that wanted to disable NTLM in Git for Windows by default was _not_ affected by this, due to a quite long-standing bug in Git: Kerberos authentication is simply never attempted by default. Users need to configure `http.emptyAuth=true` to enable it, even though the `http.emptyAuth=auto` default promises to behave in the same way. In preparation for fixing that `http.emptyAuth` bug _without_ weakening the security bug fix that disables NTLM by default, these two patches disable NTLM via SPNEGO altogether. Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
mjcheetham
approved these changes
Apr 13, 2026
Member
Author
|
/deploy mingw-w64-curl The i686/x86_64 and the arm64 workflow runs were started. |
Member
Author
|
/add relnote bug The recent security bug fix that disables NTLM by default missed the NTLM fallback in the Kerberos protocol. This fallback is now disabled, following the cURL project's guidance. The workflow run was started |
github-actions bot
pushed a commit
to git-for-windows/build-extra
that referenced
this pull request
Apr 13, 2026
The recent security bug fix that disables NTLM by default missed the NTLM fallback in the Kerberos protocol. This fallback [is now disabled](git-for-windows/MINGW-packages#193), following the cURL project's guidance. Signed-off-by: gitforwindowshelper[bot] <gitforwindowshelper-bot@users.noreply.github.com>
This was referenced Apr 14, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Git for Windows recently offered a new security bug release, which essentially disables NTLM by default. This is considered an important measure to heighten the security stance of Git for Windows. However, there is another path which allows NTLM that was not yet covered in Git for Windows: the SPNEGO mechanism that allows downgrading Kerberos to NTLM.
This PR disables NTLM via SPNEGO altogether, in line with what the primary cURL maintainer wants, too.