GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Package: emacs;

Reported by: Daniel Colascione <dancol <at> dancol.org>

Date: Wed, 21 May 2025 19:13:04 UTC

Severity: normal

Fixed in version 31.0.50

Done: Juri Linkov <juri <at> linkov.net>

Bug is archived. No further changes may be made.

Full log

Message #43 received at control <at> debbugs.gnu.org (full text, mbox):

From: Juri Linkov <juri <at> linkov.net>
To: Daniel Colascione <dancol <at> dancol.org>
Cc: Yuan Fu <casouri <at> gmail.com>, 78542 <at> debbugs.gnu.org,
 Eli Zaretskii <eliz <at> gnu.org>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
Date: Fri, 20 Jun 2025 19:56:46 +0300

close 78542 31.0.50
thanks

>> The following patch introduces an alternative format
>> using keywords, e.g.:
>>
>>  (treesit--install-language-grammar-1
>>   (locate-user-emacs-file "tree-sitter") 'json
>>   "https://github.com/tree-sitter/tree-sitter-json"
>>   :commit "4d770d3")
>
> Great. While you're doing this, can you also please use full hashes?
> Short ones aren't particularly collision resistant.

So now replaced tags with full hashes that either correspond
to the previous tags or are mentioned explicitly in the comments
section of ts-mode files.

> P.S.S. Do we need the list of grammars in build.sh under admin? It
> duplicates what's in Lisp elsewhere in the tree.

I don't know if build.sh is still used or can be removed.
Maybe Yuan could answer.
This bug report was last modified 23 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.