From unknown Wed Jun 18 23:06:29 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#78542 <78542@debbugs.gnu.org> To: bug#78542 <78542@debbugs.gnu.org> Subject: Status: [Security] hash locking needed for tree-sitter downloads Reply-To: bug#78542 <78542@debbugs.gnu.org> Date: Thu, 19 Jun 2025 06:06:29 +0000 retitle 78542 [Security] hash locking needed for tree-sitter downloads reassign 78542 emacs submitter 78542 Daniel Colascione severity 78542 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Wed May 21 15:12:55 2025 Received: (at submit) by debbugs.gnu.org; 21 May 2025 19:12:55 +0000 Received: from localhost ([127.0.0.1]:52694 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uHos0-0005d2-Fd for submit@debbugs.gnu.org; Wed, 21 May 2025 15:12:54 -0400 Received: from lists.gnu.org ([2001:470:142::17]:38348) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uHorv-0005aq-7c for submit@debbugs.gnu.org; Wed, 21 May 2025 15:12:49 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uHoro-0006fz-Jr for bug-gnu-emacs@gnu.org; Wed, 21 May 2025 15:12:41 -0400 Received: from dancol.org ([2600:3c01:e000:3d8::1]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uHorm-000730-9T for bug-gnu-emacs@gnu.org; Wed, 21 May 2025 15:12:40 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; s=x; h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender: Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=b2THrs6fVAQN+uEKkkUcEOgpVwNxOaJ+lLTbnnjllQA=; b=MCHt+EqUbHex/THl+mlpQRGP1g cIckkNuz2Km9P8uGk6+SO56T+MOdLHsAAw4U+j8I/C3tJCAzm7kM3HrZPtdWZ+zreCmFndeXV0WoD gPeKSDJa8cqf+0l+2cmxRqC4Zwm9E2IpOGmVkn2bHLawhsW9z0AymGfRXnxXPwFEP4ckup8sAhW98 XPfd2dp9CfljucXEajty3u2zsEzGAPJ56cYSUYn1irrP5PmoOGHMXUTxADsceKrxgboGzbqSEUChN lcpG+GesbAci3li0ui6pjup6eLyC1Sr7b39GP4dVmaj8MFhLrPPNMbk6adfoyOnB9UrctIZ+SZLNE 2sbRLVag==; Received: from dancol by dancol.org with local (Exim 4.96) (envelope-from ) id 1uHoqe-00ACBP-0J for bug-gnu-emacs@gnu.org; Wed, 21 May 2025 15:11:28 -0400 From: Daniel Colascione To: bug-gnu-emacs@gnu.org Subject: [Security] hash locking needed for tree-sitter downloads User-Agent: mu4e 1.12.10; emacs 31.0.50 Date: Wed, 21 May 2025 15:12:32 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain Received-SPF: pass client-ip=2600:3c01:e000:3d8::1; envelope-from=dancol@dancol.org; helo=dancol.org X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.9 (/) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.1 (/) When downloading code, a tag isn't good enough. We should insist on a specific commit. We have a fair bit of code in Emacs that looks like this: (add-to-list 'treesit-language-source-alist '(javascript "https://github.com/tree-sitter/tree-sitter-javascript" "v0.23.1") t) (add-to-list 'treesit-language-source-alist '(jsdoc "https://github.com/tree-sitter/tree-sitter-jsdoc" "v0.23.2") t) The entries in treesit-language-source-alist mostly have tags but not commit hashes. The expected commit hash should be *mandatory*, because right now, anyone with access to one of these repositories can retarget any of those tags at malicious code. See https://snyk.io/blog/npm-security-preventing-supply-chain-attacks/ Every other important language ecosystem has evolved some kind of "hash locking" capability for breaking the author-retargets-to-malware attack vector. We should too. We shouldn't allow the commit hash to be absent for ordinary users. P.S. we've debated vendoring these grammars with Emacs. I still think that's the right way to go. But if we're going to download and build, we should at least do it in a secure way. P.S.S. Do we need the list of grammars in build.sh under admin? It duplicates what's in Lisp elsewhere in the tree. From debbugs-submit-bounces@debbugs.gnu.org Thu May 22 02:46:28 2025 Received: (at 78542) by debbugs.gnu.org; 22 May 2025 06:46:28 +0000 Received: from localhost ([127.0.0.1]:59072 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uHzhD-0007PF-UE for submit@debbugs.gnu.org; Thu, 22 May 2025 02:46:28 -0400 Received: from relay9-d.mail.gandi.net ([2001:4b98:dc4:8::229]:53813) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uHzgv-0007Lp-9Z for 78542@debbugs.gnu.org; Thu, 22 May 2025 02:46:12 -0400 Received: by mail.gandi.net (Postfix) with ESMTPSA id 3DC2B439A6; Thu, 22 May 2025 06:45:59 +0000 (UTC) From: Juri Linkov To: Daniel Colascione Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter downloads In-Reply-To: Organization: LINKOV.NET References: Date: Thu, 22 May 2025 09:36:57 +0300 Message-ID: <87o6vlxijm.fsf@mail.linkov.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain X-GND-State: clean X-GND-Score: -100 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddtgdehvdejucdltddurdegfedvrddttddmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeffgeetfeevlefhleejfeeuheeiudeitdffhfdutdekfeffgffhveehteegueekheenucfkphepledurdduvdelrddutdefrddvjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeluddruddvledruddtfedrvdejpdhhvghlohepmhgrihhlrdhgrghnughirdhnvghtpdhmrghilhhfrhhomhepjhhurhhisehlihhnkhhovhdrnhgvthdpnhgspghrtghpthhtohepfedprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhg X-GND-Sasl: juri@linkov.net X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 78542 Cc: Yuan Fu , 78542@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) > When downloading code, a tag isn't good enough. We should insist on a > specific commit. > [...] > The entries in treesit-language-source-alist mostly have tags but not > commit hashes. The expected commit hash should be *mandatory*, because > right now, anyone with access to one of these repositories can retarget > any of those tags at malicious code. Indeed, tags can be easily relocated to a different commit. > Every other important language ecosystem has evolved some kind of "hash > locking" capability for breaking the author-retargets-to-malware attack > vector. We should too. We shouldn't allow the commit hash to be absent > for ordinary users. Agreed, "hash locking" should lock commit hashes, not tags. > P.S. we've debated vendoring these grammars with Emacs. I still think > that's the right way to go. But if we're going to download and build, > we should at least do it in a secure way. The only reason currently tags are used instead of commit hashes is because there is no way to checkout a specific commit with the current implementation when the default value of 'treesit--install-language-grammar-full-clone' is nil. > P.S.S. Do we need the list of grammars in build.sh under admin? It > duplicates what's in Lisp elsewhere in the tree. Apparently no need, so they could be removed. From debbugs-submit-bounces@debbugs.gnu.org Sat Jun 07 04:06:02 2025 Received: (at 78542) by debbugs.gnu.org; 7 Jun 2025 08:06:03 +0000 Received: from localhost ([127.0.0.1]:46641 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uNoZ0-0003pp-EJ for submit@debbugs.gnu.org; Sat, 07 Jun 2025 04:06:02 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:49078) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uNoYx-0003pI-LC for 78542@debbugs.gnu.org; Sat, 07 Jun 2025 04:06:00 -0400 Received: from fencepost.gnu.org ([2001:470:142:3::e]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1uNoYr-0001uz-9k; Sat, 07 Jun 2025 04:05:53 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org; s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date: mime-version; bh=+tn/Bnk9HkU3W8BceX3HE+ThwGI8L7A1sMx9jUEKbnI=; b=A/0/uOeIZ4g6 UqKH9ycnl1kIng/gToxeyvh47yxwtU2bNYBIZrrWTixCmeI8fMdOZE/FsAwumDlkYACd85V7RUgbm an5t8f8UozKnKEL7oxDkS4wssJ+InGlXc4DrbCLiApv4g+fHVLTbBJmjoZ8/yfBeOyfahFm7fLJ1N 2iMzrDfYa0qGxZCO2IRgs3VOZVlwsfRYc/xReSv1e6SW2KvpQoZURahw3bLkCN5isKh+qIZuqxsUw 3yGEmzmPZ+dXNw8qf1kO3pztmOvU6hvE/ykBILf2jH2dnyP7kUoT/bo4q76u3ineKdleI9/NQoHiH SEKdB1HOSXctlB9TasHKnQ==; Date: Sat, 07 Jun 2025 11:05:51 +0300 Message-Id: <86wm9oj7s0.fsf@gnu.org> From: Eli Zaretskii To: Juri Linkov , casouri@gmail.com In-Reply-To: <87o6vlxijm.fsf@mail.linkov.net> (message from Juri Linkov on Thu, 22 May 2025 09:36:57 +0300) Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter downloads References: <87o6vlxijm.fsf@mail.linkov.net> X-Spam-Score: -2.3 (--) X-Debbugs-Envelope-To: 78542 Cc: 78542@debbugs.gnu.org, dancol@dancol.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -3.3 (---) Ping! Do we want to make some progress here? > Cc: Yuan Fu , 78542@debbugs.gnu.org > From: Juri Linkov > Date: Thu, 22 May 2025 09:36:57 +0300 > > > When downloading code, a tag isn't good enough. We should insist on a > > specific commit. > > [...] > > The entries in treesit-language-source-alist mostly have tags but not > > commit hashes. The expected commit hash should be *mandatory*, because > > right now, anyone with access to one of these repositories can retarget > > any of those tags at malicious code. > > Indeed, tags can be easily relocated to a different commit. > > > Every other important language ecosystem has evolved some kind of "hash > > locking" capability for breaking the author-retargets-to-malware attack > > vector. We should too. We shouldn't allow the commit hash to be absent > > for ordinary users. > > Agreed, "hash locking" should lock commit hashes, not tags. > > > P.S. we've debated vendoring these grammars with Emacs. I still think > > that's the right way to go. But if we're going to download and build, > > we should at least do it in a secure way. > > The only reason currently tags are used instead of commit hashes is > because there is no way to checkout a specific commit with the > current implementation when the default value of > 'treesit--install-language-grammar-full-clone' is nil. > > > P.S.S. Do we need the list of grammars in build.sh under admin? It > > duplicates what's in Lisp elsewhere in the tree. > > Apparently no need, so they could be removed. > > > > From debbugs-submit-bounces@debbugs.gnu.org Sun Jun 08 13:49:03 2025 Received: (at 78542) by debbugs.gnu.org; 8 Jun 2025 17:49:03 +0000 Received: from localhost ([127.0.0.1]:52822 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uOK8l-0002rA-A1 for submit@debbugs.gnu.org; Sun, 08 Jun 2025 13:49:03 -0400 Received: from relay7-d.mail.gandi.net ([217.70.183.200]:44567) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uOK8j-0002qf-IQ for 78542@debbugs.gnu.org; Sun, 08 Jun 2025 13:49:02 -0400 Received: by mail.gandi.net (Postfix) with ESMTPSA id 75312438F0; Sun, 8 Jun 2025 17:48:53 +0000 (UTC) From: Juri Linkov To: Eli Zaretskii Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter downloads In-Reply-To: <86wm9oj7s0.fsf@gnu.org> Organization: LINKOV.NET References: <87o6vlxijm.fsf@mail.linkov.net> <86wm9oj7s0.fsf@gnu.org> Date: Sun, 08 Jun 2025 20:45:42 +0300 Message-ID: <87ecvugm9l.fsf@mail.linkov.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain X-GND-State: clean X-GND-Score: -100 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugdekudejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeegtdekudehueevfefftedufeelgfejffektefgieevjeeigeekueejteelieegheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddtfedrvdejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutdefrddvjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeegpdhrtghpthhtohepjeekheegvdesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrgh X-GND-Sasl: juri@linkov.net X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 78542 Cc: 78542@debbugs.gnu.org, casouri@gmail.com, dancol@dancol.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) >> The only reason currently tags are used instead of commit hashes is >> because there is no way to checkout a specific commit with the >> current implementation when the default value of >> 'treesit--install-language-grammar-full-clone' is nil. Here is the current state: 1. (treesit--install-language-grammar-1 (locate-user-emacs-file "tree-sitter") 'json "https://github.com/tree-sitter/tree-sitter-json") installs the latest commit 46aa487. 2. (treesit--install-language-grammar-1 (locate-user-emacs-file "tree-sitter") 'json "https://github.com/tree-sitter/tree-sitter-json" "v0.24.8") installs the commit ee35a6e tagged v0.24.8. 3. (treesit--install-language-grammar-1 (locate-user-emacs-file "tree-sitter") 'json "https://github.com/tree-sitter/tree-sitter-json" "4d770d3") fails to check out "4d770d3" with the error: git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b 4d770d3 warning: Could not find remote branch 4d770d3 to clone fatal: Remote branch 4d770d3 not found in upstream origin 4. (treesit--install-language-grammar-1 (locate-user-emacs-file "tree-sitter") 'json "https://github.com/tree-sitter/tree-sitter-json" nil nil nil nil "4d770d3") fails to check out "4d770d3" with the error: git -C /tmp/treesit-workdirHhEIhg/repo checkout 4d770d3 error: pathspec '4d770d3' did not match any file(s) known to git After (setq treesit--install-language-grammar-full-clone t): 5. (treesit--install-language-grammar-1 (locate-user-emacs-file "tree-sitter") 'json "https://github.com/tree-sitter/tree-sitter-json" "4d770d3") successfully installs the commit "v0.24.8-1-g4d770d3". When treesit--install-language-grammar-full-clone is nil, "--depth 1" is added to "git clone". So we need a Git guru to recommend a command line to use "git clone" with "--depth 1" to check out a single commit. From debbugs-submit-bounces@debbugs.gnu.org Mon Jun 09 21:38:28 2025 Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 01:38:29 +0000 Received: from localhost ([127.0.0.1]:59423 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uOnwX-0007EH-Jl for submit@debbugs.gnu.org; Mon, 09 Jun 2025 21:38:28 -0400 Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]:42438) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1uOnwT-0007Cd-65 for 78542@debbugs.gnu.org; Mon, 09 Jun 2025 21:38:22 -0400 Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-74801bc6dc5so3671813b3a.1 for <78542@debbugs.gnu.org>; Mon, 09 Jun 2025 18:38:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749519495; x=1750124295; darn=debbugs.gnu.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=FcSFOC4zuChFa+tHDU6XG7o9rlGHpjgdA6TQQyY44hA=; b=H4lSyj/b2EauzFYQJUABufllOeK/mWm2FxPBjyKwMhhKIpNwihwY5aT0wwH0La/8G1 +BNtWXUKgvtCYJNAPEevtok//dZB3Y9n87AWcpknyCBOvHVKIRr80fmDUqo8INhoPDwL 1iuDf7GLgHOL/HoAMScqymsI08GgxYf3Y+eLaoeGF3Z9boqvrZZapkdgyF0tuxXBKuPI s4mP3a8PQKMvtciUEYmtaEevB30PiCpCZZyie1lSQ0ieDGj+gA9iMsWb1CkclJEM+Qu+ II1inc0SGk2N72QQtupe1fwnpDoJb5lK3X9Wkd6Kl18EhHoQ1yvyM8BvOqW0kT5aofjH Y4Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749519495; x=1750124295; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FcSFOC4zuChFa+tHDU6XG7o9rlGHpjgdA6TQQyY44hA=; b=tt8JxRUlQCy8mlEsCW+8ArpDVSkltKxDGuLjS79rzy4KLGF9DCTBfN6pKp6z5AX6vx gSnDnoyovcuEPN01IuzDjTdt1YB+ujsEyjRe/+ZtPASxtW3O2JCmwLi4VkdKOIbyVVxI AyXmAmi4oouimg61jhtrDv5ey2JDELci6hcjEIR3dpzYA2egD8brRheX581U8GC2Q1Us NSEwPScGuDLyAJyVwGe7ViiL8By7L7ZMyqjrWkHJY+IAI10jZ7ZZT7rUyEiqXKvcp3oJ em9wXjJghalzGz9ykoFffUg4Q3FMuCvRk1PW+g1G/yB2PI0yPxkXflTSwnhyMdjU0Tu7 gdjQ== X-Forwarded-Encrypted: i=1; AJvYcCV8EVlrTyXbsL9KZmEcBU96ccjLi6vf7Na9prPbQxYgqLLi1SuRZK7no0EY2O9OH5Jx2+1YMQ==@debbugs.gnu.org X-Gm-Message-State: AOJu0Yxb7yHmYQi6dPeHDFupdK5HWYKonVbOYtOEYug9IXOP4/Ftp2YZ kVv7Reytnlco7UQ6g1Ot9SXy0QA1jOLWFT7nDVxtQBzD3rOmyGVhfDjp X-Gm-Gg: ASbGncvN8z65PB60NGIKjOTvegys+5MGRLB7PWaa6TPs59WGqrS+rAMbBCqrspQuc/7 XAPDPg6Y4+haGeZpO56Y3qKkeukz3QqUdayPXAeIGBWw+IoAL2m5tjjA6iBU+iOrSdPtYVNuniq 9Q3xcpPnEF0lGAssSNWoUUf441N5ha1gZytudz3HdcVd0v4J+7hNfMaSyIPUfRncU81B0DmCjqR 031+S7Gr4KVE+J9kOqMlw6YXosk8zC7UsOmTsLVChT/opJUxU2UT2ITY1zqps3y4pd2fAXcmfjr f0IvEnrpT1wDlmo8jU66Lu3cR5shSXuyZilFSP5TFswGgeI7w3JivQhXZOch/7WTLj+mrCpGlrJ mN8v+mLdy5hSyrQEGaGkaDa6Q0Qm21Qh8ukA= X-Google-Smtp-Source: AGHT+IFBhfCXqdaTqgYfnvD6DNEV7Chh20cOojxGZTbHOSGLedq0UJN2jTD3lXjwgx4QtUFn1NT2ww== X-Received: by 2002:aa7:88c3:0:b0:736:4e14:8ec5 with SMTP id d2e1a72fcca58-7485ea85e56mr2239435b3a.11.1749519494960; Mon, 09 Jun 2025 18:38:14 -0700 (PDT) Received: from smtpclient.apple (c-24-4-247-194.hsd1.ca.comcast.net. [24.4.247.194]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-7482b0836d4sm6351623b3a.85.2025.06.09.18.38.13 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 09 Jun 2025 18:38:14 -0700 (PDT) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.500.181.1.5\)) Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter downloads From: Yuan Fu In-Reply-To: <87ecvugm9l.fsf@mail.linkov.net> Date: Mon, 9 Jun 2025 18:38:03 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <87o6vlxijm.fsf@mail.linkov.net> <86wm9oj7s0.fsf@gnu.org> <87ecvugm9l.fsf@mail.linkov.net> To: Juri Linkov X-Mailer: Apple Mail (2.3826.500.181.1.5) X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 78542 Cc: 78542@debbugs.gnu.org, Eli Zaretskii , dancol@dancol.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) > On Jun 8, 2025, at 10:45=E2=80=AFAM, Juri Linkov = wrote: >=20 >>> The only reason currently tags are used instead of commit hashes is >>> because there is no way to checkout a specific commit with the >>> current implementation when the default value of >>> 'treesit--install-language-grammar-full-clone' is nil. >=20 > Here is the current state: >=20 > 1. (treesit--install-language-grammar-1 > (locate-user-emacs-file "tree-sitter") 'json > "https://github.com/tree-sitter/tree-sitter-json") >=20 > installs the latest commit 46aa487. >=20 > 2. (treesit--install-language-grammar-1 > (locate-user-emacs-file "tree-sitter") 'json > "https://github.com/tree-sitter/tree-sitter-json" > "v0.24.8") >=20 > installs the commit ee35a6e tagged v0.24.8. >=20 > 3. (treesit--install-language-grammar-1 > (locate-user-emacs-file "tree-sitter") 'json > "https://github.com/tree-sitter/tree-sitter-json" > "4d770d3") >=20 > fails to check out "4d770d3" with the error: >=20 > git clone https://github.com/tree-sitter/tree-sitter-json --quiet = --depth 1 -b 4d770d3 > warning: Could not find remote branch 4d770d3 to clone > fatal: Remote branch 4d770d3 not found in upstream origin >=20 > 4. (treesit--install-language-grammar-1 > (locate-user-emacs-file "tree-sitter") 'json > "https://github.com/tree-sitter/tree-sitter-json" > nil nil nil nil "4d770d3") >=20 > fails to check out "4d770d3" with the error: >=20 > git -C /tmp/treesit-workdirHhEIhg/repo checkout 4d770d3 > error: pathspec '4d770d3' did not match any file(s) known to git >=20 > After (setq treesit--install-language-grammar-full-clone t): >=20 > 5. (treesit--install-language-grammar-1 > (locate-user-emacs-file "tree-sitter") 'json > "https://github.com/tree-sitter/tree-sitter-json" > "4d770d3") >=20 > successfully installs the commit "v0.24.8-1-g4d770d3". >=20 > When treesit--install-language-grammar-full-clone is nil, > "--depth 1" is added to "git clone". >=20 > So we need a Git guru to recommend a command line to use > "git clone" with "--depth 1" to check out a single commit. Would it work if we do a blobless full clone, checkout the commit, and = fetch depth=3D1? Eg, git clone https://github.com/tree-sitter/tree-sitter-json.git = --filter=3Dblob:none cd tree-sitter-json git checkout 4d770d3 git fetch --depth=3D1 Yuan= From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 10 02:47:14 2025 Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 06:47:15 +0000 Received: from localhost ([127.0.0.1]:60197 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uOslO-0000FB-23 for submit@debbugs.gnu.org; Tue, 10 Jun 2025 02:47:14 -0400 Received: from relay6-d.mail.gandi.net ([217.70.183.198]:53323) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uOsfR-0007sc-Fk for 78542@debbugs.gnu.org; Tue, 10 Jun 2025 02:41:09 -0400 Received: by mail.gandi.net (Postfix) with ESMTPSA id A27614424F; Tue, 10 Jun 2025 06:40:56 +0000 (UTC) From: Juri Linkov To: Yuan Fu Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter downloads In-Reply-To: Organization: LINKOV.NET References: <87o6vlxijm.fsf@mail.linkov.net> <86wm9oj7s0.fsf@gnu.org> <87ecvugm9l.fsf@mail.linkov.net> Date: Tue, 10 Jun 2025 09:23:31 +0300 Message-ID: <87sek8p1h4.fsf@mail.linkov.net> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain X-GND-State: clean X-GND-Score: -100 X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugddutdefkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghofhffkfgfgggtsehttdertddtredtnecuhfhrohhmpefluhhrihcunfhinhhkohhvuceojhhurhhisehlihhnkhhovhdrnhgvtheqnecuggftrfgrthhtvghrnhepgedtkeduheeuveefffetudeflefgjeffkeetgfeiveejieegkeeujeetleeigeehnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepledurdduvdelrddutdefrddvjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeluddruddvledruddtfedrvdejpdhhvghlohepmhgrihhlrdhgrghnughirdhnvghtpdhmrghilhhfrhhomhepjhhurhhisehlihhnkhhovhdrnhgvthdpnhgspghrtghpthhtohepgedprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepuggrnhgtohhlsegurghntgholhdrohhrghdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprhgtphhtthhopegtrghsohhurhhisehgmhgrihhlrdgtohhm X-GND-Sasl: juri@linkov.net X-Spam-Score: -0.7 (/) X-Debbugs-Envelope-To: 78542 Cc: 78542@debbugs.gnu.org, Eli Zaretskii , dancol@dancol.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.7 (-) >> When treesit--install-language-grammar-full-clone is nil, >> "--depth 1" is added to "git clone". >> >> So we need a Git guru to recommend a command line to use >> "git clone" with "--depth 1" to check out a single commit. > > Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg, > > git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none > cd tree-sitter-json > git checkout 4d770d3 > git fetch --depth=1 This still keeps full history. This means we could simply set the default value of treesit--install-language-grammar-full-clone to t, or completely remove this variable, if there is no way to clone at a specific commit without fetching full history? From debbugs-submit-bounces@debbugs.gnu.org Tue Jun 10 03:44:39 2025 Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 07:44:39 +0000 Received: from localhost ([127.0.0.1]:60730 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1uOtew-0007N0-Ia for submit@debbugs.gnu.org; Tue, 10 Jun 2025 03:44:39 -0400 Received: from dancol.org ([2600:3c01:e000:3d8::1]:46746) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1uOtet-0007MQ-SQ for 78542@debbugs.gnu.org; Tue, 10 Jun 2025 03:44:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; s=x; h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To: Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=fxAwwy4+fgcICz9mn7eVkoCpvtBgUUU56LGNg4e3dCY=; b=VpUr7Rdtr7OTyjdlK3vaH+cbur 02dRFxeJYuxp2QyzbI4ZfTcDLDUQuflX2BceN0rcPVPutQnIyjGt+8UWGUlKi2ElvnnL4RmOy1hBC soRKJhSI91tweCJs2+4mR5ubfLXwBr96HVV3ObukJw3eo2u4F4FV5NFv4TgADLfU7syhyllbjYo1r OlnzCgA+VieuyNR5wkBXxEnVqFw9Pcu2pG/hToO+xkViR9ANipTcjDuA3+hi8u2l2p9CAF60y+wlI wpRefDE21pB+6pMNkNaAALI9HAkTdtuUTYVHA2ycjzqrfM5suU3JwLxkTThSd76JX2hers/Agw5ew QmnwRcIQ==; Received: from dancol by dancol.org with local (Exim 4.96) (envelope-from ) id 1uOtdX-00BWR1-0t; Tue, 10 Jun 2025 03:43:11 -0400 From: Daniel Colascione To: Juri Linkov Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter downloads In-Reply-To: <87sek8p1h4.fsf@mail.linkov.net> References: <87o6vlxijm.fsf@mail.linkov.net> <86wm9oj7s0.fsf@gnu.org> <87ecvugm9l.fsf@mail.linkov.net> <87sek8p1h4.fsf@mail.linkov.net> User-Agent: mu4e 1.12.10; emacs 31.0.50 Date: Tue, 10 Jun 2025 00:44:30 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 78542 Cc: Yuan Fu , 78542@debbugs.gnu.org, Eli Zaretskii X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Juri Linkov writes: >>> When treesit--install-language-grammar-full-clone is nil, >>> "--depth 1" is added to "git clone". >>> >>> So we need a Git guru to recommend a command line to use >>> "git clone" with "--depth 1" to check out a single commit. >> >> Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg, >> >> git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none >> cd tree-sitter-json >> git checkout 4d770d3 >> git fetch --depth=1 > > This still keeps full history. There's a difference between full history and all blobs for all revisions in this history. You can also use --shallow-since during the clone with a date to further limit history. --shallow-exclude would probably work even better, since you wouldn't need a date, but it's broken for me somehow, at least with the repository above. But --shallow-since works.