GNU logs - #78542, boring messages

Message sent to bug-gnu-emacs@HIDDEN:

Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Daniel Colascione <dancol@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Wed, 21 May 2025 19:13:04 +0000
Resent-Message-ID: <handler.78542.B.174785477521664 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: 78542 <at> debbugs.gnu.org
From: Daniel Colascione <dancol@HIDDEN>
User-Agent: mu4e 1.12.10; emacs 31.0.50
Date: Wed, 21 May 2025 15:12:32 -0400
Message-ID: <m1sekx7p7j.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2600:3c01:e000:3d8::1;
 envelope-from=dancol@HIDDEN; helo=dancol.org
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

When downloading code, a tag isn't good enough.  We should insist on a
specific commit.

We have a fair bit of code in Emacs that looks like this:

(add-to-list
 'treesit-language-source-alist
 '(javascript "https://github.com/tree-sitter/tree-sitter-javascript" "v0.23.1")
 t)
(add-to-list
 'treesit-language-source-alist
 '(jsdoc "https://github.com/tree-sitter/tree-sitter-jsdoc" "v0.23.2")
 t)

The entries in treesit-language-source-alist mostly have tags but not
commit hashes.  The expected commit hash should be *mandatory*, because
right now, anyone with access to one of these repositories can retarget
any of those tags at malicious code.

See https://snyk.io/blog/npm-security-preventing-supply-chain-attacks/

Every other important language ecosystem has evolved some kind of "hash
locking" capability for breaking the author-retargets-to-malware attack
vector.  We should too.  We shouldn't allow the commit hash to be absent
for ordinary users.

P.S. we've debated vendoring these grammars with Emacs.  I still think
that's the right way to go.  But if we're going to download and build,
we should at least do it in a secure way.

P.S.S. Do we need the list of grammars in build.sh under admin? It
duplicates what's in Lisp elsewhere in the tree.

Message sent:

Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.505 (Entity 5.505)
Content-Type: text/plain; charset=utf-8
X-Loop: help-debbugs@HIDDEN
From: help-debbugs@HIDDEN (GNU bug Tracking System)
To: Daniel Colascione <dancol@HIDDEN>
Subject: bug#78542: Acknowledgement ([Security] hash locking needed for
 tree-sitter downloads)
Message-ID: <handler.78542.B.174785477521664.ack <at> debbugs.gnu.org>
References: <m1sekx7p7j.fsf@HIDDEN>
X-Gnu-PR-Message: ack 78542
X-Gnu-PR-Package: emacs
Reply-To: 78542 <at> debbugs.gnu.org
Date: Wed, 21 May 2025 19:13:04 +0000

Thank you for filing a new bug report with debbugs.gnu.org.

This is an automatically generated reply to let you know your message
has been received.

Your message is being forwarded to the package maintainers and other
interested parties for their attention; they will reply in due course.

Your message has been sent to the package maintainer(s):
 bug-gnu-emacs@HIDDEN

If you wish to submit further information on this problem, please
send it to 78542 <at> debbugs.gnu.org.

Please do not send mail to help-debbugs@HIDDEN unless you wish
to report a problem with the Bug-tracking system.

--=20
78542: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D78542
GNU Bug Tracking System
Contact help-debbugs@HIDDEN with problems

Message sent to bug-gnu-emacs@HIDDEN:

Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Juri Linkov <juri@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Thu, 22 May 2025 06:47:04 +0000
Resent-Message-ID: <handler.78542.B78542.174789638828478 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Daniel Colascione <dancol@HIDDEN>
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org
From: Juri Linkov <juri@HIDDEN>
In-Reply-To: <m1sekx7p7j.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN>
Date: Thu, 22 May 2025 09:36:57 +0300
Message-ID: <87o6vlxijm.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

> When downloading code, a tag isn't good enough.  We should insist on a
> specific commit.
> [...]
> The entries in treesit-language-source-alist mostly have tags but not
> commit hashes.  The expected commit hash should be *mandatory*, because
> right now, anyone with access to one of these repositories can retarget
> any of those tags at malicious code.

Indeed, tags can be easily relocated to a different commit.

> Every other important language ecosystem has evolved some kind of "hash
> locking" capability for breaking the author-retargets-to-malware attack
> vector.  We should too.  We shouldn't allow the commit hash to be absent
> for ordinary users.

Agreed, "hash locking" should lock commit hashes, not tags.

> P.S. we've debated vendoring these grammars with Emacs.  I still think
> that's the right way to go.  But if we're going to download and build,
> we should at least do it in a secure way.

The only reason currently tags are used instead of commit hashes is
because there is no way to checkout a specific commit with the
current implementation when the default value of
'treesit--install-language-grammar-full-clone' is nil.

> P.S.S. Do we need the list of grammars in build.sh under admin? It
> duplicates what's in Lisp elsewhere in the tree.

Apparently no need, so they could be removed.

Message sent to bug-gnu-emacs@HIDDEN:

Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Eli Zaretskii <eliz@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sat, 07 Jun 2025 08:07:02 +0000
Resent-Message-ID: <handler.78542.B78542.174928356314749 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
To: Juri Linkov <juri@HIDDEN>, casouri@HIDDEN
Cc: 78542 <at> debbugs.gnu.org, dancol@HIDDEN
Date: Sat, 07 Jun 2025 11:05:51 +0300
Message-Id: <86wm9oj7s0.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
In-Reply-To: <87o6vlxijm.fsf@HIDDEN> (message from Juri Linkov on
 Thu, 22 May 2025 09:36:57 +0300)
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
Precedence: list
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>

Ping!  Do we want to make some progress here?

> Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org
> From: Juri Linkov <juri@HIDDEN>
> Date: Thu, 22 May 2025 09:36:57 +0300
> 
> > When downloading code, a tag isn't good enough.  We should insist on a
> > specific commit.
> > [...]
> > The entries in treesit-language-source-alist mostly have tags but not
> > commit hashes.  The expected commit hash should be *mandatory*, because
> > right now, anyone with access to one of these repositories can retarget
> > any of those tags at malicious code.
> 
> Indeed, tags can be easily relocated to a different commit.
> 
> > Every other important language ecosystem has evolved some kind of "hash
> > locking" capability for breaking the author-retargets-to-malware attack
> > vector.  We should too.  We shouldn't allow the commit hash to be absent
> > for ordinary users.
> 
> Agreed, "hash locking" should lock commit hashes, not tags.
> 
> > P.S. we've debated vendoring these grammars with Emacs.  I still think
> > that's the right way to go.  But if we're going to download and build,
> > we should at least do it in a secure way.
> 
> The only reason currently tags are used instead of commit hashes is
> because there is no way to checkout a specific commit with the
> current implementation when the default value of
> 'treesit--install-language-grammar-full-clone' is nil.
> 
> > P.S.S. Do we need the list of grammars in build.sh under admin? It
> > duplicates what's in Lisp elsewhere in the tree.
> 
> Apparently no need, so they could be removed.
> 
> 
> 
>

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Juri Linkov <juri@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Sun, 08 Jun 2025 17:50:01 +0000
Resent-Message-ID: <handler.78542.B78542.174940494310989 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Eli Zaretskii <eliz@HIDDEN>
Cc: 78542 <at> debbugs.gnu.org, casouri@HIDDEN, dancol@HIDDEN
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.174940494310989
          (code B ref 78542); Sun, 08 Jun 2025 17:50:01 +0000
Received: (at 78542) by debbugs.gnu.org; 8 Jun 2025 17:49:03 +0000
Received: from localhost ([127.0.0.1]:52822 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uOK8l-0002rA-A1
	for submit <at> debbugs.gnu.org; Sun, 08 Jun 2025 13:49:03 -0400
Received: from relay7-d.mail.gandi.net ([217.70.183.200]:44567)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uOK8j-0002qf-IQ
 for 78542 <at> debbugs.gnu.org; Sun, 08 Jun 2025 13:49:02 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 75312438F0;
 Sun,  8 Jun 2025 17:48:53 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
In-Reply-To: <86wm9oj7s0.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN>
Date: Sun, 08 Jun 2025 20:45:42 +0300
Message-ID: <87ecvugm9l.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugdekudejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeegtdekudehueevfefftedufeelgfejffektefgieevjeeigeekueejteelieegheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddtfedrvdejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutdefrddvjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeegpdhrtghpthhtohepjeekheegvdesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrgh
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

>> The only reason currently tags are used instead of commit hashes is
>> because there is no way to checkout a specific commit with the
>> current implementation when the default value of
>> 'treesit--install-language-grammar-full-clone' is nil.

Here is the current state:

1. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json")

  installs the latest commit 46aa487.

2. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "v0.24.8")

  installs the commit ee35a6e tagged v0.24.8.

3. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "4d770d3")

  fails to check out "4d770d3" with the error:

  git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b 4d770d3
  warning: Could not find remote branch 4d770d3 to clone
  fatal: Remote branch 4d770d3 not found in upstream origin

4. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    nil nil nil nil "4d770d3")

  fails to check out "4d770d3" with the error:

  git -C /tmp/treesit-workdirHhEIhg/repo checkout 4d770d3
  error: pathspec '4d770d3' did not match any file(s) known to git

After (setq treesit--install-language-grammar-full-clone t):

5. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "4d770d3")

  successfully installs the commit "v0.24.8-1-g4d770d3".

When treesit--install-language-grammar-full-clone is nil,
"--depth 1" is added to "git clone".

So we need a Git guru to recommend a command line to use
"git clone" with "--depth 1" to check out a single commit.

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Yuan Fu <casouri@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 10 Jun 2025 01:39:01 +0000
Resent-Message-ID: <handler.78542.B78542.174951950927824 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Juri Linkov <juri@HIDDEN>
Cc: 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>, dancol@HIDDEN
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.174951950927824
          (code B ref 78542); Tue, 10 Jun 2025 01:39:01 +0000
Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 01:38:29 +0000
Received: from localhost ([127.0.0.1]:59423 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uOnwX-0007EH-Jl
	for submit <at> debbugs.gnu.org; Mon, 09 Jun 2025 21:38:28 -0400
Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]:42438)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <casouri@HIDDEN>) id 1uOnwT-0007Cd-65
 for 78542 <at> debbugs.gnu.org; Mon, 09 Jun 2025 21:38:22 -0400
Received: by mail-pf1-x42e.google.com with SMTP id
 d2e1a72fcca58-74801bc6dc5so3671813b3a.1
 for <78542 <at> debbugs.gnu.org>; Mon, 09 Jun 2025 18:38:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1749519495; x=1750124295; darn=debbugs.gnu.org;
 h=to:references:message-id:content-transfer-encoding:cc:date
 :in-reply-to:from:subject:mime-version:from:to:cc:subject:date
 :message-id:reply-to;
 bh=FcSFOC4zuChFa+tHDU6XG7o9rlGHpjgdA6TQQyY44hA=;
 b=H4lSyj/b2EauzFYQJUABufllOeK/mWm2FxPBjyKwMhhKIpNwihwY5aT0wwH0La/8G1
 +BNtWXUKgvtCYJNAPEevtok//dZB3Y9n87AWcpknyCBOvHVKIRr80fmDUqo8INhoPDwL
 1iuDf7GLgHOL/HoAMScqymsI08GgxYf3Y+eLaoeGF3Z9boqvrZZapkdgyF0tuxXBKuPI
 s4mP3a8PQKMvtciUEYmtaEevB30PiCpCZZyie1lSQ0ieDGj+gA9iMsWb1CkclJEM+Qu+
 II1inc0SGk2N72QQtupe1fwnpDoJb5lK3X9Wkd6Kl18EhHoQ1yvyM8BvOqW0kT5aofjH
 Y4Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1749519495; x=1750124295;
 h=to:references:message-id:content-transfer-encoding:cc:date
 :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=FcSFOC4zuChFa+tHDU6XG7o9rlGHpjgdA6TQQyY44hA=;
 b=tt8JxRUlQCy8mlEsCW+8ArpDVSkltKxDGuLjS79rzy4KLGF9DCTBfN6pKp6z5AX6vx
 gSnDnoyovcuEPN01IuzDjTdt1YB+ujsEyjRe/+ZtPASxtW3O2JCmwLi4VkdKOIbyVVxI
 AyXmAmi4oouimg61jhtrDv5ey2JDELci6hcjEIR3dpzYA2egD8brRheX581U8GC2Q1Us
 NSEwPScGuDLyAJyVwGe7ViiL8By7L7ZMyqjrWkHJY+IAI10jZ7ZZT7rUyEiqXKvcp3oJ
 em9wXjJghalzGz9ykoFffUg4Q3FMuCvRk1PW+g1G/yB2PI0yPxkXflTSwnhyMdjU0Tu7
 gdjQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCV8EVlrTyXbsL9KZmEcBU96ccjLi6vf7Na9prPbQxYgqLLi1SuRZK7no0EY2O9OH5Jx2+1YMQ==@debbugs.gnu.org
X-Gm-Message-State: AOJu0Yxb7yHmYQi6dPeHDFupdK5HWYKonVbOYtOEYug9IXOP4/Ftp2YZ
 kVv7Reytnlco7UQ6g1Ot9SXy0QA1jOLWFT7nDVxtQBzD3rOmyGVhfDjp
X-Gm-Gg: ASbGncvN8z65PB60NGIKjOTvegys+5MGRLB7PWaa6TPs59WGqrS+rAMbBCqrspQuc/7
 XAPDPg6Y4+haGeZpO56Y3qKkeukz3QqUdayPXAeIGBWw+IoAL2m5tjjA6iBU+iOrSdPtYVNuniq
 9Q3xcpPnEF0lGAssSNWoUUf441N5ha1gZytudz3HdcVd0v4J+7hNfMaSyIPUfRncU81B0DmCjqR
 031+S7Gr4KVE+J9kOqMlw6YXosk8zC7UsOmTsLVChT/opJUxU2UT2ITY1zqps3y4pd2fAXcmfjr
 f0IvEnrpT1wDlmo8jU66Lu3cR5shSXuyZilFSP5TFswGgeI7w3JivQhXZOch/7WTLj+mrCpGlrJ
 mN8v+mLdy5hSyrQEGaGkaDa6Q0Qm21Qh8ukA=
X-Google-Smtp-Source: AGHT+IFBhfCXqdaTqgYfnvD6DNEV7Chh20cOojxGZTbHOSGLedq0UJN2jTD3lXjwgx4QtUFn1NT2ww==
X-Received: by 2002:aa7:88c3:0:b0:736:4e14:8ec5 with SMTP id
 d2e1a72fcca58-7485ea85e56mr2239435b3a.11.1749519494960; 
 Mon, 09 Jun 2025 18:38:14 -0700 (PDT)
Received: from smtpclient.apple (c-24-4-247-194.hsd1.ca.comcast.net.
 [24.4.247.194]) by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7482b0836d4sm6351623b3a.85.2025.06.09.18.38.13
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 09 Jun 2025 18:38:14 -0700 (PDT)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.500.181.1.5\))
From: Yuan Fu <casouri@HIDDEN>
In-Reply-To: <87ecvugm9l.fsf@HIDDEN>
Date: Mon, 9 Jun 2025 18:38:03 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
X-Mailer: Apple Mail (2.3826.500.181.1.5)
X-Spam-Score: 0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)



> On Jun 8, 2025, at 10:45=E2=80=AFAM, Juri Linkov <juri@HIDDEN> =
wrote:
>=20
>>> The only reason currently tags are used instead of commit hashes is
>>> because there is no way to checkout a specific commit with the
>>> current implementation when the default value of
>>> 'treesit--install-language-grammar-full-clone' is nil.
>=20
> Here is the current state:
>=20
> 1. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json")
>=20
>  installs the latest commit 46aa487.
>=20
> 2. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "v0.24.8")
>=20
>  installs the commit ee35a6e tagged v0.24.8.
>=20
> 3. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "4d770d3")
>=20
>  fails to check out "4d770d3" with the error:
>=20
>  git clone https://github.com/tree-sitter/tree-sitter-json --quiet =
--depth 1 -b 4d770d3
>  warning: Could not find remote branch 4d770d3 to clone
>  fatal: Remote branch 4d770d3 not found in upstream origin
>=20
> 4. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    nil nil nil nil "4d770d3")
>=20
>  fails to check out "4d770d3" with the error:
>=20
>  git -C /tmp/treesit-workdirHhEIhg/repo checkout 4d770d3
>  error: pathspec '4d770d3' did not match any file(s) known to git
>=20
> After (setq treesit--install-language-grammar-full-clone t):
>=20
> 5. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "4d770d3")
>=20
>  successfully installs the commit "v0.24.8-1-g4d770d3".
>=20
> When treesit--install-language-grammar-full-clone is nil,
> "--depth 1" is added to "git clone".
>=20
> So we need a Git guru to recommend a command line to use
> "git clone" with "--depth 1" to check out a single commit.

Would it work if we do a blobless full clone, checkout the commit, and =
fetch depth=3D1? Eg,

git clone https://github.com/tree-sitter/tree-sitter-json.git =
--filter=3Dblob:none
cd tree-sitter-json
git checkout 4d770d3
git fetch --depth=3D1

Yuan=

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Juri Linkov <juri@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 10 Jun 2025 06:48:03 +0000
Resent-Message-ID: <handler.78542.B78542.1749538035952 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Yuan Fu <casouri@HIDDEN>
Cc: 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>, dancol@HIDDEN
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.1749538035952
          (code B ref 78542); Tue, 10 Jun 2025 06:48:03 +0000
Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 06:47:15 +0000
Received: from localhost ([127.0.0.1]:60197 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uOslO-0000FB-23
	for submit <at> debbugs.gnu.org; Tue, 10 Jun 2025 02:47:14 -0400
Received: from relay6-d.mail.gandi.net ([217.70.183.198]:53323)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uOsfR-0007sc-Fk
 for 78542 <at> debbugs.gnu.org; Tue, 10 Jun 2025 02:41:09 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id A27614424F;
 Tue, 10 Jun 2025 06:40:56 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
In-Reply-To: <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
Date: Tue, 10 Jun 2025 09:23:31 +0300
Message-ID: <87sek8p1h4.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugddutdefkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghofhffkfgfgggtsehttdertddtredtnecuhfhrohhmpefluhhrihcunfhinhhkohhvuceojhhurhhisehlihhnkhhovhdrnhgvtheqnecuggftrfgrthhtvghrnhepgedtkeduheeuveefffetudeflefgjeffkeetgfeiveejieegkeeujeetleeigeehnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepledurdduvdelrddutdefrddvjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeluddruddvledruddtfedrvdejpdhhvghlohepmhgrihhlrdhgrghnughirdhnvghtpdhmrghilhhfrhhomhepjhhurhhisehlihhnkhhovhdrnhgvthdpnhgspghrtghpthhtohepgedprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepuggrnhgtohhlsegurghntgholhdrohhrghdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprhgtphhtthhopegtrghsohhurhhisehgmhgrihhlrdgtohhm
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

>> When treesit--install-language-grammar-full-clone is nil,
>> "--depth 1" is added to "git clone".
>> 
>> So we need a Git guru to recommend a command line to use
>> "git clone" with "--depth 1" to check out a single commit.
>
> Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg,
>
> git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none
> cd tree-sitter-json
> git checkout 4d770d3
> git fetch --depth=1

This still keeps full history.  This means we could simply
set the default value of treesit--install-language-grammar-full-clone
to t, or completely remove this variable, if there is no way
to clone at a specific commit without fetching full history?

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Daniel Colascione <dancol@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Tue, 10 Jun 2025 07:45:02 +0000
Resent-Message-ID: <handler.78542.B78542.174954147928344 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Juri Linkov <juri@HIDDEN>
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.174954147928344
          (code B ref 78542); Tue, 10 Jun 2025 07:45:02 +0000
Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 07:44:39 +0000
Received: from localhost ([127.0.0.1]:60730 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uOtew-0007N0-Ia
	for submit <at> debbugs.gnu.org; Tue, 10 Jun 2025 03:44:39 -0400
Received: from dancol.org ([2600:3c01:e000:3d8::1]:46746)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <dancol@HIDDEN>) id 1uOtet-0007MQ-SQ
 for 78542 <at> debbugs.gnu.org; Tue, 10 Jun 2025 03:44:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; 
 s=x;
 h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:
 Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=fxAwwy4+fgcICz9mn7eVkoCpvtBgUUU56LGNg4e3dCY=; b=VpUr7Rdtr7OTyjdlK3vaH+cbur
 02dRFxeJYuxp2QyzbI4ZfTcDLDUQuflX2BceN0rcPVPutQnIyjGt+8UWGUlKi2ElvnnL4RmOy1hBC
 soRKJhSI91tweCJs2+4mR5ubfLXwBr96HVV3ObukJw3eo2u4F4FV5NFv4TgADLfU7syhyllbjYo1r
 OlnzCgA+VieuyNR5wkBXxEnVqFw9Pcu2pG/hToO+xkViR9ANipTcjDuA3+hi8u2l2p9CAF60y+wlI
 wpRefDE21pB+6pMNkNaAALI9HAkTdtuUTYVHA2ycjzqrfM5suU3JwLxkTThSd76JX2hers/Agw5ew
 QmnwRcIQ==;
Received: from dancol by dancol.org with local (Exim 4.96)
 (envelope-from <dancol@HIDDEN>) id 1uOtdX-00BWR1-0t;
 Tue, 10 Jun 2025 03:43:11 -0400
From: Daniel Colascione <dancol@HIDDEN>
In-Reply-To: <87sek8p1h4.fsf@HIDDEN>
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN>
User-Agent: mu4e 1.12.10; emacs 31.0.50
Date: Tue, 10 Jun 2025 00:44:30 -0700
Message-ID: <m1y0u082ht.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Juri Linkov <juri@HIDDEN> writes:

>>> When treesit--install-language-grammar-full-clone is nil,
>>> "--depth 1" is added to "git clone".
>>> 
>>> So we need a Git guru to recommend a command line to use
>>> "git clone" with "--depth 1" to check out a single commit.
>>
>> Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg,
>>
>> git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none
>> cd tree-sitter-json
>> git checkout 4d770d3
>> git fetch --depth=1
>
> This still keeps full history.

There's a difference between full history and all blobs for all
revisions in this history.  You can also use --shallow-since during the
clone with a date to further limit history.  --shallow-exclude would
probably work even better, since you wouldn't need a date, but it's
broken for me somehow, at least with the repository above.
But --shallow-since works.

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Juri Linkov <juri@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Thu, 19 Jun 2025 17:09:01 +0000
Resent-Message-ID: <handler.78542.B78542.175035293323605 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Daniel Colascione <dancol@HIDDEN>
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.175035293323605
          (code B ref 78542); Thu, 19 Jun 2025 17:09:01 +0000
Received: (at 78542) by debbugs.gnu.org; 19 Jun 2025 17:08:53 +0000
Received: from localhost ([127.0.0.1]:36174 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSIku-00068d-0m
	for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 13:08:53 -0400
Received: from relay5-d.mail.gandi.net ([2001:4b98:dc4:8::225]:59523)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uSIkq-00067I-6n
 for 78542 <at> debbugs.gnu.org; Thu, 19 Jun 2025 13:08:49 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 681A744351;
 Thu, 19 Jun 2025 17:08:40 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
In-Reply-To: <m1y0u082ht.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
Date: Thu, 19 Jun 2025 20:06:51 +0300
Message-ID: <87qzzfk6dw.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdeitdekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeegtdekudehueevfefftedufeelgfejffektefgieevjeeigeekueejteelieegheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddttddrjeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutddtrdejjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeegpdhrtghpthhtohepjeekheegvdesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprhgtphhtthhopegtrghsohhurhhisehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggrnhgtohhlsegurghntgholhdrohhrgh
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

>>>> When treesit--install-language-grammar-full-clone is nil,
>>>> "--depth 1" is added to "git clone".
>>>> 
>>>> So we need a Git guru to recommend a command line to use
>>>> "git clone" with "--depth 1" to check out a single commit.
>>>
>>> Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg,
>>>
>>> git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none
>>> cd tree-sitter-json
>>> git checkout 4d770d3
>>> git fetch --depth=1
>>
>> This still keeps full history.
>
> There's a difference between full history and all blobs for all
> revisions in this history.  You can also use --shallow-since during the
> clone with a date to further limit history.  --shallow-exclude would
> probably work even better, since you wouldn't need a date, but it's
> broken for me somehow, at least with the repository above.
> But --shallow-since works.

I can't find what value to provide for --shallow-since.
So let's just use a blobless full clone:

diff --git a/lisp/treesit.el b/lisp/treesit.el
index 353e991ec20..5d03f0cf45e 100644
--- a/lisp/treesit.el
+++ b/lisp/treesit.el
@@ -5238,7 +5238,13 @@ treesit--install-language-grammar-1
           (if url-is-dir
               (when revision
                 (treesit--git-checkout-branch workdir revision))
-            (treesit--git-clone-repo url revision workdir))
+            (if commit
+                ;; Force blobless full clone to be able later
+                ;; to checkout a commit (bug#78542).
+                (let ((treesit--install-language-grammar-blobless t)
+                      (treesit--install-language-grammar-full-clone t))
+                  (treesit--git-clone-repo url revision workdir))
+              (treesit--git-clone-repo url revision workdir)))
           (when commit
             (treesit--git-checkout-branch workdir commit))
           (setq version (treesit--language-git-revision workdir))

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Juri Linkov <juri@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Thu, 19 Jun 2025 17:57:01 +0000
Resent-Message-ID: <handler.78542.B78542.175035576512146 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Daniel Colascione <dancol@HIDDEN>
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.175035576512146
          (code B ref 78542); Thu, 19 Jun 2025 17:57:01 +0000
Received: (at 78542) by debbugs.gnu.org; 19 Jun 2025 17:56:05 +0000
Received: from localhost ([127.0.0.1]:37038 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSJUa-00039o-RO
	for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 13:56:05 -0400
Received: from relay7-d.mail.gandi.net ([2001:4b98:dc4:8::227]:45503)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uSJUY-00038j-Mg
 for 78542 <at> debbugs.gnu.org; Thu, 19 Jun 2025 13:56:03 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 3678644377;
 Thu, 19 Jun 2025 17:55:53 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
In-Reply-To: <87qzzfk6dw.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN>
Date: Thu, 19 Jun 2025 20:54:08 +0300
Message-ID: <87v7oripmn.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdeiudejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesmhdtreertdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpedvffdvgfffhefhueehieffhfeitdfftdeuvdejvdduledtfedvleeikeelheduheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddttddrjeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutddtrdejjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeegpdhrtghpthhtohepvghlihiisehgnhhurdhorhhgpdhrtghpthhtohepjeekheegvdesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegtrghsohhurhhisehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggrnhgtohhlsegurghntgholhdrohhrgh
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain

> +            (if commit
> +                ;; Force blobless full clone to be able later
> +                ;; to checkout a commit (bug#78542).
> +                (let ((treesit--install-language-grammar-blobless t)
> +                      (treesit--install-language-grammar-full-clone t))
> +                  (treesit--git-clone-repo url revision workdir))
> +              (treesit--git-clone-repo url revision workdir)))

Since with this change it's possible to specify the commit,
let's also improve the format of the source list.
Currently adding a commit to the list requires
prefixing it with four nils:

  (treesit--install-language-grammar-1
   (locate-user-emacs-file "tree-sitter") 'json
   "https://github.com/tree-sitter/tree-sitter-json"
   nil nil nil nil "4d770d3")

The following patch introduces an alternative format
using keywords, e.g.:

  (treesit--install-language-grammar-1
   (locate-user-emacs-file "tree-sitter") 'json
   "https://github.com/tree-sitter/tree-sitter-json"
   :commit "4d770d3")


--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline; filename=treesit-language-source-alist.patch

diff --git a/lisp/treesit.el b/lisp/treesit.el
index 353e991ec20..fedcb6ed1e9 100644
--- a/lisp/treesit.el
+++ b/lisp/treesit.el
@@ -4998,7 +4998,7 @@ treesit-language-source-alist
 
 The value should be an alist where each element has the form
 
-    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT [KEYWORD VALUE]...))
+    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT))
 
 Only LANG and URL are mandatory.  LANG is the language symbol.
 URL is the URL of the grammar's Git repository or a directory
@@ -5015,8 +5015,17 @@ treesit-language-source-alist
 CC and C++ are C and C++ compilers, defaulting to \"cc\" and
 \"c++\", respectively.
 
+Another way to specify optional data is to use keywords:
+
+    (LANG . (URL [KEYWORD VALUE]...))
+
 The currently supported keywords:
 
+`:revision' is the same as REVISION above.
+`:source-dir' is the same as SOURCE-DIR above.
+`:cc' is the same as CC above.
+`:c++' is the same as C++ above.
+`:commit' is the same as COMMIT above.
 `:copy-queries' when non-nil specifies whether to copy the files
 in the \"queries\" directory from the source directory to the
 installation directory.")
@@ -5203,7 +5212,7 @@ treesit--git-clone-repo
     (apply #'treesit--call-process-signal args)))
 
 (defun treesit--install-language-grammar-1
-    (out-dir lang url &optional revision source-dir cc c++ commit &rest args)
+    (out-dir lang url &rest args)
   "Compile and install a tree-sitter language grammar library.
 
 OUT-DIR is the directory to put the compiled library file.  If it
@@ -5211,8 +5220,7 @@ treesit--install-language-grammar-1
 configuration directory is used (and automatically created if it
 does not exist).
 
-For LANG, URL, REVISION, SOURCE-DIR, GRAMMAR-DIR, CC, C++, COMMIT, see
-`treesit-language-source-alist'.
+For ARGS, see `treesit-language-source-alist'.
 
 Return the git revision of the installed grammar.  The revision is
 generated by \"git describe\".  It only works when
@@ -5225,13 +5233,25 @@ treesit--install-language-grammar-1
          (workdir (if url-is-dir
                       maybe-repo-dir
                     (expand-file-name "repo")))
-         copy-queries version)
+         version
+         revision source-dir cc c++ commit copy-queries)
 
     ;; Process the keyword args.
     (while (keywordp (car args))
       (pcase (pop args)
-        (:copy-queries (setq copy-queries (pop args)))
-        (_ (pop args))))
+        (:revision     (setq revision     (pop args)))
+        (:source-dir   (setq source-dir   (pop args)))
+        (:cc           (setq cc           (pop args)))
+        (:c++          (setq c++          (pop args)))
+        (:commit       (setq commit       (pop args)))
+        (:copy-queries (setq copy-queries (pop args)))))
+
+    ;; Old positional convention for backward-compatibility:
+    (unless revision   (setq revision   (nth 0 args)))
+    (unless source-dir (setq source-dir (nth 1 args)))
+    (unless cc         (setq cc         (nth 2 args)))
+    (unless c++        (setq c++        (nth 3 args)))
+    (unless commit     (setq commit     (nth 4 args)))
 
     (unwind-protect
         (with-temp-buffer

--=-=-=--

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Daniel Colascione <dancol@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Thu, 19 Jun 2025 18:14:03 +0000
Resent-Message-ID: <handler.78542.B78542.175035678919639 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Juri Linkov <juri@HIDDEN>
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.175035678919639
          (code B ref 78542); Thu, 19 Jun 2025 18:14:03 +0000
Received: (at 78542) by debbugs.gnu.org; 19 Jun 2025 18:13:09 +0000
Received: from localhost ([127.0.0.1]:37300 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSJl6-00056e-PZ
	for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 14:13:09 -0400
Received: from dancol.org ([2600:3c01:e000:3d8::1]:36908)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <dancol@HIDDEN>) id 1uSJl3-00056B-OD
 for 78542 <at> debbugs.gnu.org; Thu, 19 Jun 2025 14:13:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; 
 s=x;
 h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:
 References:In-Reply-To:Subject:CC:To:From:Date:Sender:Reply-To:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=lmWlpvXMjpVwzNI58xLBncl+XtNkQ3q8VEl7+g88iJU=; b=Yom7ur9PqR2Np4pREqKVgY/Bzl
 VnbbyBikpy+FXMZXt9ijxPQqUTvocJy9EMbPe+OPc4uXjtLl/3qHVolA78rF3zL7ka3Pi6Q5G5plL
 Y/2JE0ecpNQPWX6NLwsH5+KMXEaZXXiydsiwPQDWqKrmni6ZYoxn7iiKA3Z1lH8T63Weht4tZz+ks
 xhhChZxuUBIOSnKHl4d7vUGnQMsOgm0adjR3RUERtW1HwWhpRa4CeUIaxxjYYbhnQl6+r6n440Yvj
 2zG8DsE1GXrTT150b3g3TlLzJXq1SdbuBlQj0a/fXDVZzbSP8gz6MCXZSP6ZmdL3ejsDFno88pfL+
 0X8clTpw==;
Received: from [2600:1006:b181:8eab:0:44:9f3e:3501] (port=46220
 helo=[IPv6:::1])
 by dancol.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 (Exim 4.96) (envelope-from <dancol@HIDDEN>) id 1uSJja-00CNIk-2Q;
 Thu, 19 Jun 2025 14:11:34 -0400
Date: Thu, 19 Jun 2025 14:12:56 -0400
From: Daniel Colascione <dancol@HIDDEN>
User-Agent: K-9 Mail for Android
In-Reply-To: <87v7oripmn.fsf@HIDDEN>
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
Message-ID: <4BE28885-3135-4FA9-8665-22DBC9E31FC8@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On June 19, 2025 1:54:08 PM EDT, Juri Linkov <juri@linkov=2Enet> wrote:
>> +            (if commit
>> +                ;; Force blobless full clone to be able later
>> +                ;; to checkout a commit (bug#78542)=2E
>> +                (let ((treesit--install-language-grammar-blobless t)
>> +                      (treesit--install-language-grammar-full-clone t)=
)
>> +                  (treesit--git-clone-repo url revision workdir))
>> +              (treesit--git-clone-repo url revision workdir)))
>
>Since with this change it's possible to specify the commit,
>let's also improve the format of the source list=2E
>Currently adding a commit to the list requires
>prefixing it with four nils:
>
>  (treesit--install-language-grammar-1
>   (locate-user-emacs-file "tree-sitter") 'json
>   "https://github=2Ecom/tree-sitter/tree-sitter-json"
>   nil nil nil nil "4d770d3")
>
>The following patch introduces an alternative format
>using keywords, e=2Eg=2E:
>
>  (treesit--install-language-grammar-1
>   (locate-user-emacs-file "tree-sitter") 'json
>   "https://github=2Ecom/tree-sitter/tree-sitter-json"
>   :commit "4d770d3")
>


Great=2E While you're doing this, can you also please use full hashes? Sho=
rt ones aren't particularly collision resistant=2E

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Eli Zaretskii <eliz@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Fri, 20 Jun 2025 06:56:02 +0000
Resent-Message-ID: <handler.78542.B78542.175040252120054 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Juri Linkov <juri@HIDDEN>
Cc: 78542 <at> debbugs.gnu.org, casouri@HIDDEN, dancol@HIDDEN
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.175040252120054
          (code B ref 78542); Fri, 20 Jun 2025 06:56:02 +0000
Received: (at 78542) by debbugs.gnu.org; 20 Jun 2025 06:55:21 +0000
Received: from localhost ([127.0.0.1]:45158 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSVej-0005DO-8x
	for submit <at> debbugs.gnu.org; Fri, 20 Jun 2025 02:55:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:50124)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1uSVeg-0005Cz-Mz
 for 78542 <at> debbugs.gnu.org; Fri, 20 Jun 2025 02:55:19 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1uSVeY-0004p1-Pq; Fri, 20 Jun 2025 02:55:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=6RcXx3I/TbNu7cNAD1TMQy41omyT724yZ+XMfckw4Wo=; b=PkPVKG/TV7dO
 ese6TBNFHvHffRMVB8OEpE0BGWs8JBHKDXdvA74n06fwOLqZPysWQ7mkGQGV11mwymxTOHpHsg8Hz
 fajAcoekCLwg67fbFVLUw4ZN18zSxheS0uhQTDjzRcI1C+z8w4AmkUTLBKDJcT7jbZi/HGQwlI2iy
 uxm6LYHRc/2x6pkx6ZSFrxvW81z/ey3wuYPMsY3+YbGvccZZ+BBxYvP7g+e7V0jckFNwHLCxwNOZx
 8/y5Ai5xeQGCXqmB2TqjkMlj+H9FTkuQ43Jj2euFXFeAlTFuGRaBVvooTIjP5ujd6GZWhP3H/s2vA
 vihe6hb3A5TgtvqF9qTZow==;
Date: Fri, 20 Jun 2025 09:55:04 +0300
Message-Id: <867c16lx6f.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
In-Reply-To: <87v7oripmn.fsf@HIDDEN> (message from Juri Linkov on
 Thu, 19 Jun 2025 20:54:08 +0300)
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Juri Linkov <juri@HIDDEN>
> Cc: Yuan Fu <casouri@HIDDEN>,  78542 <at> debbugs.gnu.org,  Eli Zaretskii
>  <eliz@HIDDEN>
> Date: Thu, 19 Jun 2025 20:54:08 +0300
> 
>  The value should be an alist where each element has the form
>  
> -    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT [KEYWORD VALUE]...))
> +    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT))
>  
>  Only LANG and URL are mandatory.  LANG is the language symbol.
>  URL is the URL of the grammar's Git repository or a directory
> @@ -5015,8 +5015,17 @@ treesit-language-source-alist
>  CC and C++ are C and C++ compilers, defaulting to \"cc\" and
>  \"c++\", respectively.
>  
> +Another way to specify optional data is to use keywords:
> +
> +    (LANG . (URL [KEYWORD VALUE]...))
> +
>  The currently supported keywords:
>  
> +`:revision' is the same as REVISION above.
> +`:source-dir' is the same as SOURCE-DIR above.
> +`:cc' is the same as CC above.
> +`:c++' is the same as C++ above.
> +`:commit' is the same as COMMIT above.
>  `:copy-queries' when non-nil specifies whether to copy the files
>  in the \"queries\" directory from the source directory to the
>  installation directory.")

This is okay, but I guess the keywords are not entirely independent?
That is, to have a valid spec one needs several keywords to be
specified together?  In that case, I think this should be stated in
the doc string.

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Juri Linkov <juri@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Fri, 20 Jun 2025 17:00:02 +0000
Resent-Message-ID: <handler.78542.B78542.175043878817097 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Eli Zaretskii <eliz@HIDDEN>
Cc: 78542 <at> debbugs.gnu.org, casouri@HIDDEN, dancol@HIDDEN
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.175043878817097
          (code B ref 78542); Fri, 20 Jun 2025 17:00:02 +0000
Received: (at 78542) by debbugs.gnu.org; 20 Jun 2025 16:59:48 +0000
Received: from localhost ([127.0.0.1]:54623 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSf5d-0004RJ-0E
	for submit <at> debbugs.gnu.org; Fri, 20 Jun 2025 12:59:47 -0400
Received: from relay4-d.mail.gandi.net ([2001:4b98:dc4:8::224]:51099)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uSf5a-0004Q6-A8
 for 78542 <at> debbugs.gnu.org; Fri, 20 Jun 2025 12:59:42 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id B8F1E43AD6;
 Fri, 20 Jun 2025 16:59:34 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
In-Reply-To: <867c16lx6f.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
 <867c16lx6f.fsf@HIDDEN>
Date: Fri, 20 Jun 2025 19:48:09 +0300
Message-ID: <87msa2e4vq.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdekleegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeffgeetfeevlefhleejfeeuheeiudeitdffhfdutdekfeffgffhveehteegueekheenucfkphepledurdduvdelrddutddtrdejjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeluddruddvledruddttddrjeejpdhhvghlohepmhgrihhlrdhgrghnughirdhnvghtpdhmrghilhhfrhhomhepjhhurhhisehlihhnkhhovhdrnhgvthdpnhgspghrtghpthhtohepgedprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhgpdhrtghpthhtohepvghlihiisehgnhhurdhorhhg
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

>>  The value should be an alist where each element has the form
>>  
>> -    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT [KEYWORD VALUE]...))
>> +    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT))
>>  
>>  Only LANG and URL are mandatory.  LANG is the language symbol.
>>  URL is the URL of the grammar's Git repository or a directory
>> @@ -5015,8 +5015,17 @@ treesit-language-source-alist
>>  CC and C++ are C and C++ compilers, defaulting to \"cc\" and
>>  \"c++\", respectively.
>>  
>> +Another way to specify optional data is to use keywords:
>> +
>> +    (LANG . (URL [KEYWORD VALUE]...))
>> +
>>  The currently supported keywords:
>>  
>> +`:revision' is the same as REVISION above.
>> +`:source-dir' is the same as SOURCE-DIR above.
>> +`:cc' is the same as CC above.
>> +`:c++' is the same as C++ above.
>> +`:commit' is the same as COMMIT above.
>>  `:copy-queries' when non-nil specifies whether to copy the files
>>  in the \"queries\" directory from the source directory to the
>>  installation directory.")
>
> This is okay, but I guess the keywords are not entirely independent?
> That is, to have a valid spec one needs several keywords to be
> specified together?  In that case, I think this should be stated in
> the doc string.

Actually, the keywords are independent.  This was the reason
to introduce the keywords, so they could be specified separately
from other keywords.

Message sent to bug-gnu-emacs@HIDDEN:

X-Loop: help-debbugs@HIDDEN
Subject: bug#78542: [Security] hash locking needed for tree-sitter downloads
Resent-From: Juri Linkov <juri@HIDDEN>
Original-Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
Resent-CC: bug-gnu-emacs@HIDDEN
Resent-Date: Fri, 20 Jun 2025 17:01:02 +0000
Resent-Message-ID: <handler.78542.B78542.175043882017592 <at> debbugs.gnu.org>
Resent-Sender: help-debbugs@HIDDEN
X-GNU-PR-Message: followup 78542
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
To: Daniel Colascione <dancol@HIDDEN>
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>
Received: via spool by 78542-submit <at> debbugs.gnu.org id=B78542.175043882017592
          (code B ref 78542); Fri, 20 Jun 2025 17:01:02 +0000
Received: (at 78542) by debbugs.gnu.org; 20 Jun 2025 17:00:20 +0000
Received: from localhost ([127.0.0.1]:54635 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSf6A-0004Z8-S7
	for submit <at> debbugs.gnu.org; Fri, 20 Jun 2025 13:00:19 -0400
Received: from relay2-d.mail.gandi.net ([217.70.183.194]:46575)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>)
 id 1uSf5e-0004QT-OU; Fri, 20 Jun 2025 12:59:49 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 51CF143182;
 Fri, 20 Jun 2025 16:59:38 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
In-Reply-To: <4BE28885-3135-4FA9-8665-22DBC9E31FC8@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
 <4BE28885-3135-4FA9-8665-22DBC9E31FC8@HIDDEN>
Date: Fri, 20 Jun 2025 19:56:46 +0300
Message-ID: <878qlme4hd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdekleegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeegtdekudehueevfefftedufeelgfejffektefgieevjeeigeekueejteelieegheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddttddrjeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutddtrdejjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeehpdhrtghpthhtoheptghonhhtrhholhesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhg
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

close 78542 31.0.50
thanks

>> The following patch introduces an alternative format
>> using keywords, e.g.:
>>
>>  (treesit--install-language-grammar-1
>>   (locate-user-emacs-file "tree-sitter") 'json
>>   "https://github.com/tree-sitter/tree-sitter-json"
>>   :commit "4d770d3")
>
> Great. While you're doing this, can you also please use full hashes?
> Short ones aren't particularly collision resistant.

So now replaced tags with full hashes that either correspond
to the previous tags or are mentioned explicitly in the comments
section of ts-mode files.

> P.S.S. Do we need the list of grammars in build.sh under admin? It
> duplicates what's in Lisp elsewhere in the tree.

I don't know if build.sh is still used or can be removed.
Maybe Yuan could answer.

Message received at control <at> debbugs.gnu.org:

Received: (at control) by debbugs.gnu.org; 20 Jun 2025 17:00:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jun 20 13:00:20 2025
Received: from localhost ([127.0.0.1]:54637 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSf6B-0004Ze-Sm
	for submit <at> debbugs.gnu.org; Fri, 20 Jun 2025 13:00:20 -0400
Received: from relay2-d.mail.gandi.net ([217.70.183.194]:46575)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>)
 id 1uSf5e-0004QT-OU; Fri, 20 Jun 2025 12:59:49 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 51CF143182;
 Fri, 20 Jun 2025 16:59:38 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
To: Daniel Colascione <dancol@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <4BE28885-3135-4FA9-8665-22DBC9E31FC8@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
 <4BE28885-3135-4FA9-8665-22DBC9E31FC8@HIDDEN>
Date: Fri, 20 Jun 2025 19:56:46 +0300
Message-ID: <878qlme4hd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdekleegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeegtdekudehueevfefftedufeelgfejffektefgieevjeeigeekueejteelieegheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddttddrjeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutddtrdejjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeehpdhrtghpthhtoheptghonhhtrhholhesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhg
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: control
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org,
 Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

close 78542 31.0.50
thanks

>> The following patch introduces an alternative format
>> using keywords, e.g.:
>>
>>  (treesit--install-language-grammar-1
>>   (locate-user-emacs-file "tree-sitter") 'json
>>   "https://github.com/tree-sitter/tree-sitter-json"
>>   :commit "4d770d3")
>
> Great. While you're doing this, can you also please use full hashes?
> Short ones aren't particularly collision resistant.

So now replaced tags with full hashes that either correspond
to the previous tags or are mentioned explicitly in the comments
section of ts-mode files.

> P.S.S. Do we need the list of grammars in build.sh under admin? It
> duplicates what's in Lisp elsewhere in the tree.

I don't know if build.sh is still used or can be removed.
Maybe Yuan could answer.

Last modified: Fri, 20 Jun 2025 17:15:02 UTC

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997 nCipher Corporation Ltd, 1994-97 Ian Jackson.