Ask Your Question

How to handle locally updated Git binary

asked 2016-03-26 06:53:54 -0500

grenade gravatar image

Because of recent git vulnerability issues, I removed the git package from my Fedora 23 instances with sudo dnf erase -y git and added exclude=git to /etc/dnf/dnf.conf. Since I still need git in my workflow, I installed it from source like so:

sudo dnf install -y curl-devel expat-devel gettext-devel openssl-devel perl-devel zlib-devel asciidoc xmlto docbook2X
sudo ln -s /usr/bin/db2x_docbook2texi /usr/bin/docbook2x-texi
gpg2 --keyserver --recv-keys 96AFE6CB
gunzip git-2.7.4.tar.gz
gpg2 --verify git-2.7.4.tar.sign git-2.7.4.tar
tar -zxvf git-2.7.4.tar.gz && cd git-2.7.4
make configure
./configure --prefix=/usr
make all doc info
sudo make install install-doc install-html install-info

However, I use some packages that rely on git (pass). Since I no longer have the maintained package for git installed, these packages will refuse to install.

Is there a way to fool DNF into believing a package is installed when it isn't? Or another nice way of handling this?

edit retag flag offensive close merge delete


Interesting, can you provide information on the git vulnerability you mention? Or maybe just a link to more info? Thanks!

florian gravatar imageflorian ( 2016-03-28 14:30:23 -0500 )edit

it's on the sec lists for those who know where to look, but posting links is a little frowned on right now because the vulnerability will only be announced when most hosts have had time to patch.

grenade gravatar imagegrenade ( 2016-03-29 06:06:28 -0500 )edit

Thanks, found it. Very clever not posting a link. Thanks, florian.

florian gravatar imageflorian ( 2016-03-29 09:12:24 -0500 )edit

3 Answers

Sort by ยป oldest newest most voted

answered 2016-03-30 05:22:28 -0500

genodeftest gravatar image

updated 2016-03-30 13:18:52 -0500

Git has been updated now. Just install the package again.

Bug reports against Fedora: #1317981, #1318220

Updated packages:

  • for Fedora 23 it should already be in your updates. Just keep your system updated.
  • for Fedora 22 it should land soon or you manually install it from koji

If you really know what you are doing you can use the dnf mark install git command. See man dnf for details. You don't need dummy packages any more.

edit flag offensive delete link more

answered 2016-03-26 11:05:45 -0500

davidva gravatar image

updated 2016-03-26 11:38:26 -0500

Hi, A dummy rpm, or made a updated git rpm... I prefer a updated git rpm because you can help us.

Also you can report the vulnerability in bugzilla

edit flag offensive delete link more


Definitely report a bug and/or patch the RPM.

subpop gravatar imagesubpop ( 2016-03-26 23:27:39 -0500 )edit

Because git is a well maintained package, I don't think I'm the right person to roll an update (I did try, but it's not trivial). I'm sure the maintainers are on the case. But the dummy package might tide me over till that happens.

grenade gravatar imagegrenade ( 2016-03-27 03:11:15 -0500 )edit

The bug has been reported and fixed some time ago.

genodeftest gravatar imagegenodeftest ( 2016-03-30 05:25:22 -0500 )edit

answered 2016-03-26 12:39:25 -0500

Not Advisable, A dependency for git is there not because its popular but the fact it is integral with such application, but you can always exclude it as a dependency when installing or updating apps.

For Example; When i install DE i always exclude wallpapers

sudo dnf install @mate-desktop -x fedora-wallpaper


sudo dnf update @mate-desktop -x fedora-wallpaper

More Info On DNF commands , Click Here

edit flag offensive delete link more


That looked promising for a minute but doesn't seem to work for dependencies. At a guess, it's for excluding parts of meta-packages.

grenade gravatar imagegrenade ( 2016-03-27 03:09:22 -0500 )edit

Question Tools



Asked: 2016-03-26 06:53:54 -0500

Seen: 194 times

Last updated: Mar 30 '16