GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Package: emacs;

Reported by: Daniel Colascione <dancol <at> dancol.org>

Date: Wed, 21 May 2025 19:13:04 UTC

Severity: normal

Fixed in version 31.0.50

Done: Juri Linkov <juri <at> linkov.net>

Bug is archived. No further changes may be made.

Full log

Message #67 received at 78542 <at> debbugs.gnu.org (full text, mbox):

From: Dmitry Gutov <dmitry <at> gutov.dev>
To: Juri Linkov <juri <at> linkov.net>, Yuan Fu <casouri <at> gmail.com>
Cc: Eli Zaretskii <eliz <at> gnu.org>, 78542 <at> debbugs.gnu.org, dancol <at> dancol.org
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
Date: Mon, 23 Jun 2025 04:47:32 +0300

On 10/06/2025 09:23, Juri Linkov wrote:
> This still keeps full history.  This means we could simply
> set the default value of treesit--install-language-grammar-full-clone
> to t, or completely remove this variable, if there is no way
> to clone at a specific commit without fetching full history?

This SO answer gives two solutions: https://stackoverflow.com/a/43136160

The first (shorter one) requires the very latest Git client to be 
installed - something for us to note for the future.

The second just requires a suitable configured Git server, which Github 
servers are. Quoting it here:

  git init
  git remote add origin <url>
  git fetch --depth 1 origin <sha1>
  git checkout FETCH_HEAD

The sha1 value must be full, but those are what we decided to use already.
This bug report was last modified 24 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.