GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Full log

View this message in rfc822 format

From: Daniel Colascione <dancol <at> dancol.org>
To: Juri Linkov <juri <at> linkov.net>
Cc: Yuan Fu <casouri <at> gmail.com>, 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz <at> gnu.org>
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Date: Thu, 19 Jun 2025 14:12:56 -0400

On June 19, 2025 1:54:08 PM EDT, Juri Linkov <juri <at> linkov.net> wrote:
>> +            (if commit
>> +                ;; Force blobless full clone to be able later
>> +                ;; to checkout a commit (bug#78542).
>> +                (let ((treesit--install-language-grammar-blobless t)
>> +                      (treesit--install-language-grammar-full-clone t))
>> +                  (treesit--git-clone-repo url revision workdir))
>> +              (treesit--git-clone-repo url revision workdir)))
>
>Since with this change it's possible to specify the commit,
>let's also improve the format of the source list.
>Currently adding a commit to the list requires
>prefixing it with four nils:
>
>  (treesit--install-language-grammar-1
>   (locate-user-emacs-file "tree-sitter") 'json
>   "https://github.com/tree-sitter/tree-sitter-json"
>   nil nil nil nil "4d770d3")
>
>The following patch introduces an alternative format
>using keywords, e.g.:
>
>  (treesit--install-language-grammar-1
>   (locate-user-emacs-file "tree-sitter") 'json
>   "https://github.com/tree-sitter/tree-sitter-json"
>   :commit "4d770d3")
>


Great. While you're doing this, can you also please use full hashes? Short ones aren't particularly collision resistant.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.