Comment 4 for bug 1990655

Regarding the new upstream versions, they seemingly bump SONAME on minor versions (1.X), which is why it's not followed closely. However, I'd missed the 1.3.1 and 1.3.2 CVEs, since they're assigned to git rather than libgit2 and not mentioned on their security page :-/. I've just uploaded a new version fixing that, as well as adressing the warnings and fixing the debian/watch file.

I hadn't mentioned excluding libgit2-fixtures because it's a fairly straightforward, self-contained package, but thinking on it a bit more it'd make sense to leave it in universe, otherwise it'd have to be independently seeded.

The libssh2 MIR is there, I'd forgotten that it's a libgit2 direct dependency in addition to cargo: https://bugs.launchpad.net/ubuntu/+source/libssh2/+bug/1991650