GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Previous Next

Package: emacs;

Reported by: Daniel Colascione <dancol <at> dancol.org>

Date: Wed, 21 May 2025 19:13:04 UTC

Severity: normal

Fixed in version 31.0.50

Done: Juri Linkov <juri <at> linkov.net>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Dmitry Gutov <dmitry <at> gutov.dev>
To: Juri Linkov <juri <at> linkov.net>
Cc: Yuan Fu <casouri <at> gmail.com>, 78542 <at> debbugs.gnu.org, dancol <at> dancol.org, Eli Zaretskii <eliz <at> gnu.org>
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Date: Mon, 23 Jun 2025 18:46:21 +0300

On 23/06/2025 09:39, Juri Linkov wrote:
> When I tried various similar recipes, they all failed.  Maybe because I tried
> with abbreviated SHA1s.  However, with the full SHA1 this seems to work.
> I don't know how reliable this method is, since it requires setting
> uploadpack.allowReachableSHA1InWant=true on the server side.

I wonder if the new --revision option relies on that server setting 
anyway (how else would it be implemented?)

> Otherwise, let's wait until the new --revision option becomes more widespread.

Might take a few years (or 5-10). This script runs on the user's 
machine, and historically we've been hesitant to up the requirements on 
the installed version of Git.

This bug report was last modified 23 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.

GNU bug report logs - #78542 [Security] hash locking needed for tree-sitter downloads

GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads