GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Package: emacs;

Reported by: Daniel Colascione <dancol <at> dancol.org>

Date: Wed, 21 May 2025 19:13:04 UTC

Severity: normal

Fixed in version 31.0.50

Done: Juri Linkov <juri <at> linkov.net>

Bug is archived. No further changes may be made.

Full log

Message #58 received at 78542 <at> debbugs.gnu.org (full text, mbox):

From: Stéphane Marks <shipmints <at> gmail.com>
To: Daniel Colascione <dancol <at> dancol.org>
Cc: 78542 <at> debbugs.gnu.org, casouri <at> gmail.com,
 Peter Oliver <p.d.oliver <at> mavit.org.uk>, eliz <at> gnu.org, juri <at> linkov.net
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
Date: Sat, 21 Jun 2025 06:51:01 -0400

[Message part 1 (text/plain, inline)]
On Sat, Jun 21, 2025 at 12:24 AM Daniel Colascione <dancol <at> dancol.org>
wrote:

> Stéphane Marks <shipmints <at> gmail.com> writes:
>
> > On Fri, Jun 20, 2025 at 6:39 PM Peter Oliver <p.d.oliver <at> mavit.org.uk>
> > wrote:
> >
> >> On Jun 8, 2025, at 10:45 AM, Juri Linkov <juri <at> linkov.net> wrote:
> >>
> >> > Here is the current state:
> >> >
> >> > 3. (treesit--install-language-grammar-1
> >> >    (locate-user-emacs-file "tree-sitter") 'json
> >> >    "https://github.com/tree-sitter/tree-sitter-json"
> >> >    "4d770d3")
> >> >
> >> >  fails to check out "4d770d3" with the error:
> >> >
> >> >  git clone https://github.com/tree-sitter/tree-sitter-json --quiet
> >> --depth 1 -b 4d770d3
> >> >  warning: Could not find remote branch 4d770d3 to clone
> >> >  fatal: Remote branch 4d770d3 not found in upstream origin
> >>
> >> I’m a bit late to the party, here, but would it make sense to have, say:
> >>
> >>    (treesit--install-language-grammar-1
> >>     (locate-user-emacs-file "tree-sitter") 'json
> >>     "https://github.com/tree-sitter/tree-sitter-json"
> >>     :tag "v0.24.8"
> >>     :commit "4d770d31f732d50d3ec373865822fbe659e47c75")
> >>
> >> We could then:
> >>
> >>    git clone https://github.com/tree-sitter/tree-sitter-json --quiet
> >> --depth 1 -b v0.24.8
> >>    git checkout 4d770d31f732d50d3ec373865822fbe659e47c75
> >>
> >> Additionally, I think including the tag helps to clarify the intention
> to
> >> anyone reading the code, without them having to go away and refer to the
> >> repository to find out about that commit.
> >
> >
> > git tags aren't really immutable, though, as they can be changed to point
> > to other commits.  If you want to specify both a commit hash and a tag
> and
> > the tag doesn't or no longer points to that commit, that would be
> > confusing.
>
> Or an error. I guess you could include tag names to allow for some kind
> of UX shorthand while verifying, using the hashes, that the tags still
> refer to their designated trees.
>

Good.

[Message part 2 (text/html, inline)]
This bug report was last modified 23 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.