git-annex 6.20180626 is an important security fix release. See [[the advisory|security/CVE-2018-10857_and_CVE-2018-10859]] for details about the security holes fixed in this release. After upgrading git-annex, you should restart any git-annex assistant processes. Several changes to git-annex's behavior had to be made as part of the security fixes: * A security fix has changed git-annex to refuse to download content from some special remotes when the content cannot be verified with a hash check. In particular URL and WORM keys stored on such remotes won't be downloaded. See the documentation of the annex.security.allow-unverified-downloads configuration for how to deal with this if it affects your files. * A security fix has changed git-annex to only support http, https, and ftp URL schemes by default. You can enable other URL schemes, at your own risk, using annex.security.allowed-url-schemes. * A related security fix prevents git-annex from connecting to http servers (and proxies) on localhost or private networks. This can be overridden, at your own risk, using annex.security.allowed-http-addresses. * Setting annex.web-options no longer is enough to make curl be used, and youtube-dl is also no longer used by default. See the documentation of annex.security.allowed-http-addresses for details and how to enable them. * The annex.web-download-command configuration has been removed, use annex.web-options instead.