GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Full log

View this message in rfc822 format

From: Juri Linkov <juri <at> linkov.net>
To: Dmitry Gutov <dmitry <at> gutov.dev>
Cc: Yuan Fu <casouri <at> gmail.com>, 78542 <at> debbugs.gnu.org, dancol <at> dancol.org, Eli Zaretskii <eliz <at> gnu.org>
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Date: Mon, 23 Jun 2025 09:39:20 +0300

>> This still keeps full history.  This means we could simply
>> set the default value of treesit--install-language-grammar-full-clone
>> to t, or completely remove this variable, if there is no way
>> to clone at a specific commit without fetching full history?
>
> This SO answer gives two solutions: https://stackoverflow.com/a/43136160
>
> The first (shorter one) requires the very latest Git client to be installed
> - something for us to note for the future.

Good news!  The new --revision option added in March 2025 is long overdue
and should have been added long ago together with the --branch option.

> The second just requires a suitable configured Git server, which Github
> servers are. Quoting it here:
>
>   git init
>   git remote add origin <url>
>   git fetch --depth 1 origin <sha1>
>   git checkout FETCH_HEAD
>
> The sha1 value must be full, but those are what we decided to use already.

When I tried various similar recipes, they all failed.  Maybe because I tried
with abbreviated SHA1s.  However, with the full SHA1 this seems to work.
I don't know how reliable this method is, since it requires setting
uploadpack.allowReachableSHA1InWant=true on the server side.

Otherwise, let's wait until the new --revision option becomes more widespread.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.