GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Package: emacs;

Reported by: Daniel Colascione <dancol <at> dancol.org>

Date: Wed, 21 May 2025 19:13:04 UTC

Severity: normal

Full log

Message #17 received at 78542 <at> debbugs.gnu.org (full text, mbox):

From: Yuan Fu <casouri <at> gmail.com>
To: Juri Linkov <juri <at> linkov.net>
Cc: 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz <at> gnu.org>, dancol <at> dancol.org
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
Date: Mon, 9 Jun 2025 18:38:03 -0700


> On Jun 8, 2025, at 10:45 AM, Juri Linkov <juri <at> linkov.net> wrote:
> 
>>> The only reason currently tags are used instead of commit hashes is
>>> because there is no way to checkout a specific commit with the
>>> current implementation when the default value of
>>> 'treesit--install-language-grammar-full-clone' is nil.
> 
> Here is the current state:
> 
> 1. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json")
> 
>  installs the latest commit 46aa487.
> 
> 2. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "v0.24.8")
> 
>  installs the commit ee35a6e tagged v0.24.8.
> 
> 3. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "4d770d3")
> 
>  fails to check out "4d770d3" with the error:
> 
>  git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b 4d770d3
>  warning: Could not find remote branch 4d770d3 to clone
>  fatal: Remote branch 4d770d3 not found in upstream origin
> 
> 4. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    nil nil nil nil "4d770d3")
> 
>  fails to check out "4d770d3" with the error:
> 
>  git -C /tmp/treesit-workdirHhEIhg/repo checkout 4d770d3
>  error: pathspec '4d770d3' did not match any file(s) known to git
> 
> After (setq treesit--install-language-grammar-full-clone t):
> 
> 5. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "4d770d3")
> 
>  successfully installs the commit "v0.24.8-1-g4d770d3".
> 
> When treesit--install-language-grammar-full-clone is nil,
> "--depth 1" is added to "git clone".
> 
> So we need a Git guru to recommend a command line to use
> "git clone" with "--depth 1" to check out a single commit.

Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg,

git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none
cd tree-sitter-json
git checkout 4d770d3
git fetch --depth=1

Yuan
This bug report was last modified 8 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.