GNU bug report logs - #78542
[Security] hash locking needed for tree-sitter downloads

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 20 Jun 2025 17:00:20 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jun 20 13:00:19 2025
Received: from localhost ([127.0.0.1]:54635 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSf6A-0004Z8-S7
	for submit <at> debbugs.gnu.org; Fri, 20 Jun 2025 13:00:19 -0400
Received: from relay2-d.mail.gandi.net ([217.70.183.194]:46575)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>)
 id 1uSf5e-0004QT-OU; Fri, 20 Jun 2025 12:59:49 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 51CF143182;
 Fri, 20 Jun 2025 16:59:38 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
To: Daniel Colascione <dancol@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <4BE28885-3135-4FA9-8665-22DBC9E31FC8@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
 <4BE28885-3135-4FA9-8665-22DBC9E31FC8@HIDDEN>
Date: Fri, 20 Jun 2025 19:56:46 +0300
Message-ID: <878qlme4hd.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdekleegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeegtdekudehueevfefftedufeelgfejffektefgieevjeeigeekueejteelieegheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddttddrjeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutddtrdejjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeehpdhrtghpthhtoheptghonhhtrhholhesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhg
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 78542
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org,
 Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

close 78542 31.0.50
thanks

>> The following patch introduces an alternative format
>> using keywords, e.g.:
>>
>>  (treesit--install-language-grammar-1
>>   (locate-user-emacs-file "tree-sitter") 'json
>>   "https://github.com/tree-sitter/tree-sitter-json"
>>   :commit "4d770d3")
>
> Great. While you're doing this, can you also please use full hashes?
> Short ones aren't particularly collision resistant.

So now replaced tags with full hashes that either correspond
to the previous tags or are mentioned explicitly in the comments
section of ts-mode files.

> P.S.S. Do we need the list of grammars in build.sh under admin? It
> duplicates what's in Lisp elsewhere in the tree.

I don't know if build.sh is still used or can be removed.
Maybe Yuan could answer.

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 20 Jun 2025 16:59:48 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jun 20 12:59:47 2025
Received: from localhost ([127.0.0.1]:54623 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSf5d-0004RJ-0E
	for submit <at> debbugs.gnu.org; Fri, 20 Jun 2025 12:59:47 -0400
Received: from relay4-d.mail.gandi.net ([2001:4b98:dc4:8::224]:51099)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uSf5a-0004Q6-A8
 for 78542 <at> debbugs.gnu.org; Fri, 20 Jun 2025 12:59:42 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id B8F1E43AD6;
 Fri, 20 Jun 2025 16:59:34 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <867c16lx6f.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
 <867c16lx6f.fsf@HIDDEN>
Date: Fri, 20 Jun 2025 19:48:09 +0300
Message-ID: <87msa2e4vq.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdekleegucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeffgeetfeevlefhleejfeeuheeiudeitdffhfdutdekfeffgffhveehteegueekheenucfkphepledurdduvdelrddutddtrdejjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeluddruddvledruddttddrjeejpdhhvghlohepmhgrihhlrdhgrghnughirdhnvghtpdhmrghilhhfrhhomhepjhhurhhisehlihhnkhhovhdrnhgvthdpnhgspghrtghpthhtohepgedprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhgpdhrtghpthhtohepvghlihiisehgnhhurdhorhhg
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 78542
Cc: 78542 <at> debbugs.gnu.org, casouri@HIDDEN, dancol@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

>>  The value should be an alist where each element has the form
>>  
>> -    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT [KEYWORD VALUE]...))
>> +    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT))
>>  
>>  Only LANG and URL are mandatory.  LANG is the language symbol.
>>  URL is the URL of the grammar's Git repository or a directory
>> @@ -5015,8 +5015,17 @@ treesit-language-source-alist
>>  CC and C++ are C and C++ compilers, defaulting to \"cc\" and
>>  \"c++\", respectively.
>>  
>> +Another way to specify optional data is to use keywords:
>> +
>> +    (LANG . (URL [KEYWORD VALUE]...))
>> +
>>  The currently supported keywords:
>>  
>> +`:revision' is the same as REVISION above.
>> +`:source-dir' is the same as SOURCE-DIR above.
>> +`:cc' is the same as CC above.
>> +`:c++' is the same as C++ above.
>> +`:commit' is the same as COMMIT above.
>>  `:copy-queries' when non-nil specifies whether to copy the files
>>  in the \"queries\" directory from the source directory to the
>>  installation directory.")
>
> This is okay, but I guess the keywords are not entirely independent?
> That is, to have a valid spec one needs several keywords to be
> specified together?  In that case, I think this should be stated in
> the doc string.

Actually, the keywords are independent.  This was the reason
to introduce the keywords, so they could be specified separately
from other keywords.

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 20 Jun 2025 06:55:21 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Fri Jun 20 02:55:21 2025
Received: from localhost ([127.0.0.1]:45158 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSVej-0005DO-8x
	for submit <at> debbugs.gnu.org; Fri, 20 Jun 2025 02:55:21 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:50124)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1uSVeg-0005Cz-Mz
 for 78542 <at> debbugs.gnu.org; Fri, 20 Jun 2025 02:55:19 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1uSVeY-0004p1-Pq; Fri, 20 Jun 2025 02:55:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=6RcXx3I/TbNu7cNAD1TMQy41omyT724yZ+XMfckw4Wo=; b=PkPVKG/TV7dO
 ese6TBNFHvHffRMVB8OEpE0BGWs8JBHKDXdvA74n06fwOLqZPysWQ7mkGQGV11mwymxTOHpHsg8Hz
 fajAcoekCLwg67fbFVLUw4ZN18zSxheS0uhQTDjzRcI1C+z8w4AmkUTLBKDJcT7jbZi/HGQwlI2iy
 uxm6LYHRc/2x6pkx6ZSFrxvW81z/ey3wuYPMsY3+YbGvccZZ+BBxYvP7g+e7V0jckFNwHLCxwNOZx
 8/y5Ai5xeQGCXqmB2TqjkMlj+H9FTkuQ43Jj2euFXFeAlTFuGRaBVvooTIjP5ujd6GZWhP3H/s2vA
 vihe6hb3A5TgtvqF9qTZow==;
Date: Fri, 20 Jun 2025 09:55:04 +0300
Message-Id: <867c16lx6f.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Juri Linkov <juri@HIDDEN>
In-Reply-To: <87v7oripmn.fsf@HIDDEN> (message from Juri Linkov on
 Thu, 19 Jun 2025 20:54:08 +0300)
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 78542
Cc: 78542 <at> debbugs.gnu.org, casouri@HIDDEN, dancol@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

> From: Juri Linkov <juri@HIDDEN>
> Cc: Yuan Fu <casouri@HIDDEN>,  78542 <at> debbugs.gnu.org,  Eli Zaretskii
>  <eliz@HIDDEN>
> Date: Thu, 19 Jun 2025 20:54:08 +0300
> 
>  The value should be an alist where each element has the form
>  
> -    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT [KEYWORD VALUE]...))
> +    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT))
>  
>  Only LANG and URL are mandatory.  LANG is the language symbol.
>  URL is the URL of the grammar's Git repository or a directory
> @@ -5015,8 +5015,17 @@ treesit-language-source-alist
>  CC and C++ are C and C++ compilers, defaulting to \"cc\" and
>  \"c++\", respectively.
>  
> +Another way to specify optional data is to use keywords:
> +
> +    (LANG . (URL [KEYWORD VALUE]...))
> +
>  The currently supported keywords:
>  
> +`:revision' is the same as REVISION above.
> +`:source-dir' is the same as SOURCE-DIR above.
> +`:cc' is the same as CC above.
> +`:c++' is the same as C++ above.
> +`:commit' is the same as COMMIT above.
>  `:copy-queries' when non-nil specifies whether to copy the files
>  in the \"queries\" directory from the source directory to the
>  installation directory.")

This is okay, but I guess the keywords are not entirely independent?
That is, to have a valid spec one needs several keywords to be
specified together?  In that case, I think this should be stated in
the doc string.

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 19 Jun 2025 18:13:09 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 19 14:13:09 2025
Received: from localhost ([127.0.0.1]:37300 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSJl6-00056e-PZ
	for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 14:13:09 -0400
Received: from dancol.org ([2600:3c01:e000:3d8::1]:36908)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <dancol@HIDDEN>) id 1uSJl3-00056B-OD
 for 78542 <at> debbugs.gnu.org; Thu, 19 Jun 2025 14:13:06 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; 
 s=x;
 h=Content-Transfer-Encoding:Content-Type:MIME-Version:Message-ID:
 References:In-Reply-To:Subject:CC:To:From:Date:Sender:Reply-To:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=lmWlpvXMjpVwzNI58xLBncl+XtNkQ3q8VEl7+g88iJU=; b=Yom7ur9PqR2Np4pREqKVgY/Bzl
 VnbbyBikpy+FXMZXt9ijxPQqUTvocJy9EMbPe+OPc4uXjtLl/3qHVolA78rF3zL7ka3Pi6Q5G5plL
 Y/2JE0ecpNQPWX6NLwsH5+KMXEaZXXiydsiwPQDWqKrmni6ZYoxn7iiKA3Z1lH8T63Weht4tZz+ks
 xhhChZxuUBIOSnKHl4d7vUGnQMsOgm0adjR3RUERtW1HwWhpRa4CeUIaxxjYYbhnQl6+r6n440Yvj
 2zG8DsE1GXrTT150b3g3TlLzJXq1SdbuBlQj0a/fXDVZzbSP8gz6MCXZSP6ZmdL3ejsDFno88pfL+
 0X8clTpw==;
Received: from [2600:1006:b181:8eab:0:44:9f3e:3501] (port=46220
 helo=[IPv6:::1])
 by dancol.org with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 (Exim 4.96) (envelope-from <dancol@HIDDEN>) id 1uSJja-00CNIk-2Q;
 Thu, 19 Jun 2025 14:11:34 -0400
Date: Thu, 19 Jun 2025 14:12:56 -0400
From: Daniel Colascione <dancol@HIDDEN>
To: Juri Linkov <juri@HIDDEN>
Subject: =?US-ASCII?Q?Re=3A_bug=2378542=3A_=5BSecurity=5D_hash_lock?=
 =?US-ASCII?Q?ing_needed_for_tree-sitter_downloads?=
User-Agent: K-9 Mail for Android
In-Reply-To: <87v7oripmn.fsf@HIDDEN>
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN> <87v7oripmn.fsf@HIDDEN>
Message-ID: <4BE28885-3135-4FA9-8665-22DBC9E31FC8@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 78542
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org,
 Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

On June 19, 2025 1:54:08 PM EDT, Juri Linkov <juri@linkov=2Enet> wrote:
>> +            (if commit
>> +                ;; Force blobless full clone to be able later
>> +                ;; to checkout a commit (bug#78542)=2E
>> +                (let ((treesit--install-language-grammar-blobless t)
>> +                      (treesit--install-language-grammar-full-clone t)=
)
>> +                  (treesit--git-clone-repo url revision workdir))
>> +              (treesit--git-clone-repo url revision workdir)))
>
>Since with this change it's possible to specify the commit,
>let's also improve the format of the source list=2E
>Currently adding a commit to the list requires
>prefixing it with four nils:
>
>  (treesit--install-language-grammar-1
>   (locate-user-emacs-file "tree-sitter") 'json
>   "https://github=2Ecom/tree-sitter/tree-sitter-json"
>   nil nil nil nil "4d770d3")
>
>The following patch introduces an alternative format
>using keywords, e=2Eg=2E:
>
>  (treesit--install-language-grammar-1
>   (locate-user-emacs-file "tree-sitter") 'json
>   "https://github=2Ecom/tree-sitter/tree-sitter-json"
>   :commit "4d770d3")
>


Great=2E While you're doing this, can you also please use full hashes? Sho=
rt ones aren't particularly collision resistant=2E

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 19 Jun 2025 17:56:05 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 19 13:56:05 2025
Received: from localhost ([127.0.0.1]:37038 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSJUa-00039o-RO
	for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 13:56:05 -0400
Received: from relay7-d.mail.gandi.net ([2001:4b98:dc4:8::227]:45503)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uSJUY-00038j-Mg
 for 78542 <at> debbugs.gnu.org; Thu, 19 Jun 2025 13:56:03 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 3678644377;
 Thu, 19 Jun 2025 17:55:53 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
To: Daniel Colascione <dancol@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <87qzzfk6dw.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
 <87qzzfk6dw.fsf@HIDDEN>
Date: Thu, 19 Jun 2025 20:54:08 +0300
Message-ID: <87v7oripmn.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdeiudejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesmhdtreertdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpedvffdvgfffhefhueehieffhfeitdfftdeuvdejvdduledtfedvleeikeelheduheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddttddrjeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutddtrdejjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeegpdhrtghpthhtohepvghlihiisehgnhhurdhorhhgpdhrtghpthhtohepjeekheegvdesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegtrghsohhurhhisehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggrnhgtohhlsegurghntgholhdrohhrgh
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 78542
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org,
 Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

--=-=-=
Content-Type: text/plain

> +            (if commit
> +                ;; Force blobless full clone to be able later
> +                ;; to checkout a commit (bug#78542).
> +                (let ((treesit--install-language-grammar-blobless t)
> +                      (treesit--install-language-grammar-full-clone t))
> +                  (treesit--git-clone-repo url revision workdir))
> +              (treesit--git-clone-repo url revision workdir)))

Since with this change it's possible to specify the commit,
let's also improve the format of the source list.
Currently adding a commit to the list requires
prefixing it with four nils:

  (treesit--install-language-grammar-1
   (locate-user-emacs-file "tree-sitter") 'json
   "https://github.com/tree-sitter/tree-sitter-json"
   nil nil nil nil "4d770d3")

The following patch introduces an alternative format
using keywords, e.g.:

  (treesit--install-language-grammar-1
   (locate-user-emacs-file "tree-sitter") 'json
   "https://github.com/tree-sitter/tree-sitter-json"
   :commit "4d770d3")


--=-=-=
Content-Type: text/x-diff
Content-Disposition: inline; filename=treesit-language-source-alist.patch

diff --git a/lisp/treesit.el b/lisp/treesit.el
index 353e991ec20..fedcb6ed1e9 100644
--- a/lisp/treesit.el
+++ b/lisp/treesit.el
@@ -4998,7 +4998,7 @@ treesit-language-source-alist
 
 The value should be an alist where each element has the form
 
-    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT [KEYWORD VALUE]...))
+    (LANG . (URL REVISION SOURCE-DIR CC C++ COMMIT))
 
 Only LANG and URL are mandatory.  LANG is the language symbol.
 URL is the URL of the grammar's Git repository or a directory
@@ -5015,8 +5015,17 @@ treesit-language-source-alist
 CC and C++ are C and C++ compilers, defaulting to \"cc\" and
 \"c++\", respectively.
 
+Another way to specify optional data is to use keywords:
+
+    (LANG . (URL [KEYWORD VALUE]...))
+
 The currently supported keywords:
 
+`:revision' is the same as REVISION above.
+`:source-dir' is the same as SOURCE-DIR above.
+`:cc' is the same as CC above.
+`:c++' is the same as C++ above.
+`:commit' is the same as COMMIT above.
 `:copy-queries' when non-nil specifies whether to copy the files
 in the \"queries\" directory from the source directory to the
 installation directory.")
@@ -5203,7 +5212,7 @@ treesit--git-clone-repo
     (apply #'treesit--call-process-signal args)))
 
 (defun treesit--install-language-grammar-1
-    (out-dir lang url &optional revision source-dir cc c++ commit &rest args)
+    (out-dir lang url &rest args)
   "Compile and install a tree-sitter language grammar library.
 
 OUT-DIR is the directory to put the compiled library file.  If it
@@ -5211,8 +5220,7 @@ treesit--install-language-grammar-1
 configuration directory is used (and automatically created if it
 does not exist).
 
-For LANG, URL, REVISION, SOURCE-DIR, GRAMMAR-DIR, CC, C++, COMMIT, see
-`treesit-language-source-alist'.
+For ARGS, see `treesit-language-source-alist'.
 
 Return the git revision of the installed grammar.  The revision is
 generated by \"git describe\".  It only works when
@@ -5225,13 +5233,25 @@ treesit--install-language-grammar-1
          (workdir (if url-is-dir
                       maybe-repo-dir
                     (expand-file-name "repo")))
-         copy-queries version)
+         version
+         revision source-dir cc c++ commit copy-queries)
 
     ;; Process the keyword args.
     (while (keywordp (car args))
       (pcase (pop args)
-        (:copy-queries (setq copy-queries (pop args)))
-        (_ (pop args))))
+        (:revision     (setq revision     (pop args)))
+        (:source-dir   (setq source-dir   (pop args)))
+        (:cc           (setq cc           (pop args)))
+        (:c++          (setq c++          (pop args)))
+        (:commit       (setq commit       (pop args)))
+        (:copy-queries (setq copy-queries (pop args)))))
+
+    ;; Old positional convention for backward-compatibility:
+    (unless revision   (setq revision   (nth 0 args)))
+    (unless source-dir (setq source-dir (nth 1 args)))
+    (unless cc         (setq cc         (nth 2 args)))
+    (unless c++        (setq c++        (nth 3 args)))
+    (unless commit     (setq commit     (nth 4 args)))
 
     (unwind-protect
         (with-temp-buffer

--=-=-=--

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 19 Jun 2025 17:08:53 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu Jun 19 13:08:53 2025
Received: from localhost ([127.0.0.1]:36174 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uSIku-00068d-0m
	for submit <at> debbugs.gnu.org; Thu, 19 Jun 2025 13:08:53 -0400
Received: from relay5-d.mail.gandi.net ([2001:4b98:dc4:8::225]:59523)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uSIkq-00067I-6n
 for 78542 <at> debbugs.gnu.org; Thu, 19 Jun 2025 13:08:49 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 681A744351;
 Thu, 19 Jun 2025 17:08:40 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
To: Daniel Colascione <dancol@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <m1y0u082ht.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN> <m1y0u082ht.fsf@HIDDEN>
Date: Thu, 19 Jun 2025 20:06:51 +0300
Message-ID: <87qzzfk6dw.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddvgdeitdekucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeegtdekudehueevfefftedufeelgfejffektefgieevjeeigeekueejteelieegheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddttddrjeejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutddtrdejjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeegpdhrtghpthhtohepjeekheegvdesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprhgtphhtthhopegtrghsohhurhhisehgmhgrihhlrdgtohhmpdhrtghpthhtohepuggrnhgtohhlsegurghntgholhdrohhrgh
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 78542
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org,
 Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

>>>> When treesit--install-language-grammar-full-clone is nil,
>>>> "--depth 1" is added to "git clone".
>>>> 
>>>> So we need a Git guru to recommend a command line to use
>>>> "git clone" with "--depth 1" to check out a single commit.
>>>
>>> Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg,
>>>
>>> git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none
>>> cd tree-sitter-json
>>> git checkout 4d770d3
>>> git fetch --depth=1
>>
>> This still keeps full history.
>
> There's a difference between full history and all blobs for all
> revisions in this history.  You can also use --shallow-since during the
> clone with a date to further limit history.  --shallow-exclude would
> probably work even better, since you wouldn't need a date, but it's
> broken for me somehow, at least with the repository above.
> But --shallow-since works.

I can't find what value to provide for --shallow-since.
So let's just use a blobless full clone:

diff --git a/lisp/treesit.el b/lisp/treesit.el
index 353e991ec20..5d03f0cf45e 100644
--- a/lisp/treesit.el
+++ b/lisp/treesit.el
@@ -5238,7 +5238,13 @@ treesit--install-language-grammar-1
           (if url-is-dir
               (when revision
                 (treesit--git-checkout-branch workdir revision))
-            (treesit--git-clone-repo url revision workdir))
+            (if commit
+                ;; Force blobless full clone to be able later
+                ;; to checkout a commit (bug#78542).
+                (let ((treesit--install-language-grammar-blobless t)
+                      (treesit--install-language-grammar-full-clone t))
+                  (treesit--git-clone-repo url revision workdir))
+              (treesit--git-clone-repo url revision workdir)))
           (when commit
             (treesit--git-checkout-branch workdir commit))
           (setq version (treesit--language-git-revision workdir))

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 07:44:39 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 10 03:44:39 2025
Received: from localhost ([127.0.0.1]:60730 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uOtew-0007N0-Ia
	for submit <at> debbugs.gnu.org; Tue, 10 Jun 2025 03:44:39 -0400
Received: from dancol.org ([2600:3c01:e000:3d8::1]:46746)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <dancol@HIDDEN>) id 1uOtet-0007MQ-SQ
 for 78542 <at> debbugs.gnu.org; Tue, 10 Jun 2025 03:44:36 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; 
 s=x;
 h=Content-Type:MIME-Version:Message-ID:Date:References:In-Reply-To:
 Subject:Cc:To:From:Sender:Reply-To:Content-Transfer-Encoding:Content-ID:
 Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc
 :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=fxAwwy4+fgcICz9mn7eVkoCpvtBgUUU56LGNg4e3dCY=; b=VpUr7Rdtr7OTyjdlK3vaH+cbur
 02dRFxeJYuxp2QyzbI4ZfTcDLDUQuflX2BceN0rcPVPutQnIyjGt+8UWGUlKi2ElvnnL4RmOy1hBC
 soRKJhSI91tweCJs2+4mR5ubfLXwBr96HVV3ObukJw3eo2u4F4FV5NFv4TgADLfU7syhyllbjYo1r
 OlnzCgA+VieuyNR5wkBXxEnVqFw9Pcu2pG/hToO+xkViR9ANipTcjDuA3+hi8u2l2p9CAF60y+wlI
 wpRefDE21pB+6pMNkNaAALI9HAkTdtuUTYVHA2ycjzqrfM5suU3JwLxkTThSd76JX2hers/Agw5ew
 QmnwRcIQ==;
Received: from dancol by dancol.org with local (Exim 4.96)
 (envelope-from <dancol@HIDDEN>) id 1uOtdX-00BWR1-0t;
 Tue, 10 Jun 2025 03:43:11 -0400
From: Daniel Colascione <dancol@HIDDEN>
To: Juri Linkov <juri@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <87sek8p1h4.fsf@HIDDEN>
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
 <87sek8p1h4.fsf@HIDDEN>
User-Agent: mu4e 1.12.10; emacs 31.0.50
Date: Tue, 10 Jun 2025 00:44:30 -0700
Message-ID: <m1y0u082ht.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
X-Spam-Score: -0.0 (/)
X-Debbugs-Envelope-To: 78542
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org,
 Eli Zaretskii <eliz@HIDDEN>
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)

Juri Linkov <juri@HIDDEN> writes:

>>> When treesit--install-language-grammar-full-clone is nil,
>>> "--depth 1" is added to "git clone".
>>> 
>>> So we need a Git guru to recommend a command line to use
>>> "git clone" with "--depth 1" to check out a single commit.
>>
>> Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg,
>>
>> git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none
>> cd tree-sitter-json
>> git checkout 4d770d3
>> git fetch --depth=1
>
> This still keeps full history.

There's a difference between full history and all blobs for all
revisions in this history.  You can also use --shallow-since during the
clone with a date to further limit history.  --shallow-exclude would
probably work even better, since you wouldn't need a date, but it's
broken for me somehow, at least with the repository above.
But --shallow-since works.

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 06:47:15 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Tue Jun 10 02:47:14 2025
Received: from localhost ([127.0.0.1]:60197 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uOslO-0000FB-23
	for submit <at> debbugs.gnu.org; Tue, 10 Jun 2025 02:47:14 -0400
Received: from relay6-d.mail.gandi.net ([217.70.183.198]:53323)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uOsfR-0007sc-Fk
 for 78542 <at> debbugs.gnu.org; Tue, 10 Jun 2025 02:41:09 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id A27614424F;
 Tue, 10 Jun 2025 06:40:56 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
To: Yuan Fu <casouri@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
 <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
Date: Tue, 10 Jun 2025 09:23:31 +0300
Message-ID: <87sek8p1h4.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugddutdefkecutefuodetggdotefrodftvfcurfhrohhfihhlvgemucfitefpfffkpdcuggftfghnshhusghstghrihgsvgenuceurghilhhouhhtmecufedtudenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvvefujghofhffkfgfgggtsehttdertddtredtnecuhfhrohhmpefluhhrihcunfhinhhkohhvuceojhhurhhisehlihhnkhhovhdrnhgvtheqnecuggftrfgrthhtvghrnhepgedtkeduheeuveefffetudeflefgjeffkeetgfeiveejieegkeeujeetleeigeehnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucfkphepledurdduvdelrddutdefrddvjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeluddruddvledruddtfedrvdejpdhhvghlohepmhgrihhlrdhgrghnughirdhnvghtpdhmrghilhhfrhhomhepjhhurhhisehlihhnkhhovhdrnhgvthdpnhgspghrtghpthhtohepgedprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtohepuggrnhgtohhlsegurghntgholhdrohhrghdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrghdprhgtphhtthhopegtrghsohhurhhisehgmhgrihhlrdgtohhm
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 78542
Cc: 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>, dancol@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

>> When treesit--install-language-grammar-full-clone is nil,
>> "--depth 1" is added to "git clone".
>> 
>> So we need a Git guru to recommend a command line to use
>> "git clone" with "--depth 1" to check out a single commit.
>
> Would it work if we do a blobless full clone, checkout the commit, and fetch depth=1? Eg,
>
> git clone https://github.com/tree-sitter/tree-sitter-json.git --filter=blob:none
> cd tree-sitter-json
> git checkout 4d770d3
> git fetch --depth=1

This still keeps full history.  This means we could simply
set the default value of treesit--install-language-grammar-full-clone
to t, or completely remove this variable, if there is no way
to clone at a specific commit without fetching full history?

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 10 Jun 2025 01:38:29 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Mon Jun 09 21:38:28 2025
Received: from localhost ([127.0.0.1]:59423 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uOnwX-0007EH-Jl
	for submit <at> debbugs.gnu.org; Mon, 09 Jun 2025 21:38:28 -0400
Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]:42438)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.84_2) (envelope-from <casouri@HIDDEN>) id 1uOnwT-0007Cd-65
 for 78542 <at> debbugs.gnu.org; Mon, 09 Jun 2025 21:38:22 -0400
Received: by mail-pf1-x42e.google.com with SMTP id
 d2e1a72fcca58-74801bc6dc5so3671813b3a.1
 for <78542 <at> debbugs.gnu.org>; Mon, 09 Jun 2025 18:38:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1749519495; x=1750124295; darn=debbugs.gnu.org;
 h=to:references:message-id:content-transfer-encoding:cc:date
 :in-reply-to:from:subject:mime-version:from:to:cc:subject:date
 :message-id:reply-to;
 bh=FcSFOC4zuChFa+tHDU6XG7o9rlGHpjgdA6TQQyY44hA=;
 b=H4lSyj/b2EauzFYQJUABufllOeK/mWm2FxPBjyKwMhhKIpNwihwY5aT0wwH0La/8G1
 +BNtWXUKgvtCYJNAPEevtok//dZB3Y9n87AWcpknyCBOvHVKIRr80fmDUqo8INhoPDwL
 1iuDf7GLgHOL/HoAMScqymsI08GgxYf3Y+eLaoeGF3Z9boqvrZZapkdgyF0tuxXBKuPI
 s4mP3a8PQKMvtciUEYmtaEevB30PiCpCZZyie1lSQ0ieDGj+gA9iMsWb1CkclJEM+Qu+
 II1inc0SGk2N72QQtupe1fwnpDoJb5lK3X9Wkd6Kl18EhHoQ1yvyM8BvOqW0kT5aofjH
 Y4Hg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1749519495; x=1750124295;
 h=to:references:message-id:content-transfer-encoding:cc:date
 :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=FcSFOC4zuChFa+tHDU6XG7o9rlGHpjgdA6TQQyY44hA=;
 b=tt8JxRUlQCy8mlEsCW+8ArpDVSkltKxDGuLjS79rzy4KLGF9DCTBfN6pKp6z5AX6vx
 gSnDnoyovcuEPN01IuzDjTdt1YB+ujsEyjRe/+ZtPASxtW3O2JCmwLi4VkdKOIbyVVxI
 AyXmAmi4oouimg61jhtrDv5ey2JDELci6hcjEIR3dpzYA2egD8brRheX581U8GC2Q1Us
 NSEwPScGuDLyAJyVwGe7ViiL8By7L7ZMyqjrWkHJY+IAI10jZ7ZZT7rUyEiqXKvcp3oJ
 em9wXjJghalzGz9ykoFffUg4Q3FMuCvRk1PW+g1G/yB2PI0yPxkXflTSwnhyMdjU0Tu7
 gdjQ==
X-Forwarded-Encrypted: i=1;
 AJvYcCV8EVlrTyXbsL9KZmEcBU96ccjLi6vf7Na9prPbQxYgqLLi1SuRZK7no0EY2O9OH5Jx2+1YMQ==@debbugs.gnu.org
X-Gm-Message-State: AOJu0Yxb7yHmYQi6dPeHDFupdK5HWYKonVbOYtOEYug9IXOP4/Ftp2YZ
 kVv7Reytnlco7UQ6g1Ot9SXy0QA1jOLWFT7nDVxtQBzD3rOmyGVhfDjp
X-Gm-Gg: ASbGncvN8z65PB60NGIKjOTvegys+5MGRLB7PWaa6TPs59WGqrS+rAMbBCqrspQuc/7
 XAPDPg6Y4+haGeZpO56Y3qKkeukz3QqUdayPXAeIGBWw+IoAL2m5tjjA6iBU+iOrSdPtYVNuniq
 9Q3xcpPnEF0lGAssSNWoUUf441N5ha1gZytudz3HdcVd0v4J+7hNfMaSyIPUfRncU81B0DmCjqR
 031+S7Gr4KVE+J9kOqMlw6YXosk8zC7UsOmTsLVChT/opJUxU2UT2ITY1zqps3y4pd2fAXcmfjr
 f0IvEnrpT1wDlmo8jU66Lu3cR5shSXuyZilFSP5TFswGgeI7w3JivQhXZOch/7WTLj+mrCpGlrJ
 mN8v+mLdy5hSyrQEGaGkaDa6Q0Qm21Qh8ukA=
X-Google-Smtp-Source: AGHT+IFBhfCXqdaTqgYfnvD6DNEV7Chh20cOojxGZTbHOSGLedq0UJN2jTD3lXjwgx4QtUFn1NT2ww==
X-Received: by 2002:aa7:88c3:0:b0:736:4e14:8ec5 with SMTP id
 d2e1a72fcca58-7485ea85e56mr2239435b3a.11.1749519494960; 
 Mon, 09 Jun 2025 18:38:14 -0700 (PDT)
Received: from smtpclient.apple (c-24-4-247-194.hsd1.ca.comcast.net.
 [24.4.247.194]) by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-7482b0836d4sm6351623b3a.85.2025.06.09.18.38.13
 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 09 Jun 2025 18:38:14 -0700 (PDT)
Content-Type: text/plain;
	charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3826.500.181.1.5\))
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
From: Yuan Fu <casouri@HIDDEN>
In-Reply-To: <87ecvugm9l.fsf@HIDDEN>
Date: Mon, 9 Jun 2025 18:38:03 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <F7CE47A4-4714-453B-B9F2-5BD94F4692C8@HIDDEN>
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN> <87ecvugm9l.fsf@HIDDEN>
To: Juri Linkov <juri@HIDDEN>
X-Mailer: Apple Mail (2.3826.500.181.1.5)
X-Spam-Score: 0.0 (/)
X-Debbugs-Envelope-To: 78542
Cc: 78542 <at> debbugs.gnu.org, Eli Zaretskii <eliz@HIDDEN>, dancol@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.0 (-)



> On Jun 8, 2025, at 10:45=E2=80=AFAM, Juri Linkov <juri@HIDDEN> =
wrote:
>=20
>>> The only reason currently tags are used instead of commit hashes is
>>> because there is no way to checkout a specific commit with the
>>> current implementation when the default value of
>>> 'treesit--install-language-grammar-full-clone' is nil.
>=20
> Here is the current state:
>=20
> 1. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json")
>=20
>  installs the latest commit 46aa487.
>=20
> 2. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "v0.24.8")
>=20
>  installs the commit ee35a6e tagged v0.24.8.
>=20
> 3. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "4d770d3")
>=20
>  fails to check out "4d770d3" with the error:
>=20
>  git clone https://github.com/tree-sitter/tree-sitter-json --quiet =
--depth 1 -b 4d770d3
>  warning: Could not find remote branch 4d770d3 to clone
>  fatal: Remote branch 4d770d3 not found in upstream origin
>=20
> 4. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    nil nil nil nil "4d770d3")
>=20
>  fails to check out "4d770d3" with the error:
>=20
>  git -C /tmp/treesit-workdirHhEIhg/repo checkout 4d770d3
>  error: pathspec '4d770d3' did not match any file(s) known to git
>=20
> After (setq treesit--install-language-grammar-full-clone t):
>=20
> 5. (treesit--install-language-grammar-1
>    (locate-user-emacs-file "tree-sitter") 'json
>    "https://github.com/tree-sitter/tree-sitter-json"
>    "4d770d3")
>=20
>  successfully installs the commit "v0.24.8-1-g4d770d3".
>=20
> When treesit--install-language-grammar-full-clone is nil,
> "--depth 1" is added to "git clone".
>=20
> So we need a Git guru to recommend a command line to use
> "git clone" with "--depth 1" to check out a single commit.

Would it work if we do a blobless full clone, checkout the commit, and =
fetch depth=3D1? Eg,

git clone https://github.com/tree-sitter/tree-sitter-json.git =
--filter=3Dblob:none
cd tree-sitter-json
git checkout 4d770d3
git fetch --depth=3D1

Yuan=

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 8 Jun 2025 17:49:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sun Jun 08 13:49:03 2025
Received: from localhost ([127.0.0.1]:52822 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uOK8l-0002rA-A1
	for submit <at> debbugs.gnu.org; Sun, 08 Jun 2025 13:49:03 -0400
Received: from relay7-d.mail.gandi.net ([217.70.183.200]:44567)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uOK8j-0002qf-IQ
 for 78542 <at> debbugs.gnu.org; Sun, 08 Jun 2025 13:49:02 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 75312438F0;
 Sun,  8 Jun 2025 17:48:53 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
To: Eli Zaretskii <eliz@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <86wm9oj7s0.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
 <86wm9oj7s0.fsf@HIDDEN>
Date: Sun, 08 Jun 2025 20:45:42 +0300
Message-ID: <87ecvugm9l.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugdekudejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeegtdekudehueevfefftedufeelgfejffektefgieevjeeigeekueejteelieegheenucffohhmrghinhepghhithhhuhgsrdgtohhmnecukfhppeeluddruddvledruddtfedrvdejnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehinhgvthepledurdduvdelrddutdefrddvjedphhgvlhhopehmrghilhdrghgrnhguihdrnhgvthdpmhgrihhlfhhrohhmpehjuhhriheslhhinhhkohhvrdhnvghtpdhnsggprhgtphhtthhopeegpdhrtghpthhtohepjeekheegvdesuggvsggsuhhgshdrghhnuhdrohhrghdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegvlhhiiiesghhnuhdrohhrgh
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 78542
Cc: 78542 <at> debbugs.gnu.org, casouri@HIDDEN, dancol@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

>> The only reason currently tags are used instead of commit hashes is
>> because there is no way to checkout a specific commit with the
>> current implementation when the default value of
>> 'treesit--install-language-grammar-full-clone' is nil.

Here is the current state:

1. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json")

  installs the latest commit 46aa487.

2. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "v0.24.8")

  installs the commit ee35a6e tagged v0.24.8.

3. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "4d770d3")

  fails to check out "4d770d3" with the error:

  git clone https://github.com/tree-sitter/tree-sitter-json --quiet --depth 1 -b 4d770d3
  warning: Could not find remote branch 4d770d3 to clone
  fatal: Remote branch 4d770d3 not found in upstream origin

4. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    nil nil nil nil "4d770d3")

  fails to check out "4d770d3" with the error:

  git -C /tmp/treesit-workdirHhEIhg/repo checkout 4d770d3
  error: pathspec '4d770d3' did not match any file(s) known to git

After (setq treesit--install-language-grammar-full-clone t):

5. (treesit--install-language-grammar-1
    (locate-user-emacs-file "tree-sitter") 'json
    "https://github.com/tree-sitter/tree-sitter-json"
    "4d770d3")

  successfully installs the commit "v0.24.8-1-g4d770d3".

When treesit--install-language-grammar-full-clone is nil,
"--depth 1" is added to "git clone".

So we need a Git guru to recommend a command line to use
"git clone" with "--depth 1" to check out a single commit.

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 7 Jun 2025 08:06:03 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Sat Jun 07 04:06:02 2025
Received: from localhost ([127.0.0.1]:46641 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uNoZ0-0003pp-EJ
	for submit <at> debbugs.gnu.org; Sat, 07 Jun 2025 04:06:02 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10]:49078)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <eliz@HIDDEN>) id 1uNoYx-0003pI-LC
 for 78542 <at> debbugs.gnu.org; Sat, 07 Jun 2025 04:06:00 -0400
Received: from fencepost.gnu.org ([2001:470:142:3::e])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <eliz@HIDDEN>)
 id 1uNoYr-0001uz-9k; Sat, 07 Jun 2025 04:05:53 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gnu.org;
 s=fencepost-gnu-org; h=References:Subject:In-Reply-To:To:From:Date:
 mime-version; bh=+tn/Bnk9HkU3W8BceX3HE+ThwGI8L7A1sMx9jUEKbnI=; b=A/0/uOeIZ4g6
 UqKH9ycnl1kIng/gToxeyvh47yxwtU2bNYBIZrrWTixCmeI8fMdOZE/FsAwumDlkYACd85V7RUgbm
 an5t8f8UozKnKEL7oxDkS4wssJ+InGlXc4DrbCLiApv4g+fHVLTbBJmjoZ8/yfBeOyfahFm7fLJ1N
 2iMzrDfYa0qGxZCO2IRgs3VOZVlwsfRYc/xReSv1e6SW2KvpQoZURahw3bLkCN5isKh+qIZuqxsUw
 3yGEmzmPZ+dXNw8qf1kO3pztmOvU6hvE/ykBILf2jH2dnyP7kUoT/bo4q76u3ineKdleI9/NQoHiH
 SEKdB1HOSXctlB9TasHKnQ==;
Date: Sat, 07 Jun 2025 11:05:51 +0300
Message-Id: <86wm9oj7s0.fsf@HIDDEN>
From: Eli Zaretskii <eliz@HIDDEN>
To: Juri Linkov <juri@HIDDEN>, casouri@HIDDEN
In-Reply-To: <87o6vlxijm.fsf@HIDDEN> (message from Juri Linkov on
 Thu, 22 May 2025 09:36:57 +0300)
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
References: <m1sekx7p7j.fsf@HIDDEN> <87o6vlxijm.fsf@HIDDEN>
X-Spam-Score: -2.3 (--)
X-Debbugs-Envelope-To: 78542
Cc: 78542 <at> debbugs.gnu.org, dancol@HIDDEN
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -3.3 (---)

Ping!  Do we want to make some progress here?

> Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org
> From: Juri Linkov <juri@HIDDEN>
> Date: Thu, 22 May 2025 09:36:57 +0300
> 
> > When downloading code, a tag isn't good enough.  We should insist on a
> > specific commit.
> > [...]
> > The entries in treesit-language-source-alist mostly have tags but not
> > commit hashes.  The expected commit hash should be *mandatory*, because
> > right now, anyone with access to one of these repositories can retarget
> > any of those tags at malicious code.
> 
> Indeed, tags can be easily relocated to a different commit.
> 
> > Every other important language ecosystem has evolved some kind of "hash
> > locking" capability for breaking the author-retargets-to-malware attack
> > vector.  We should too.  We shouldn't allow the commit hash to be absent
> > for ordinary users.
> 
> Agreed, "hash locking" should lock commit hashes, not tags.
> 
> > P.S. we've debated vendoring these grammars with Emacs.  I still think
> > that's the right way to go.  But if we're going to download and build,
> > we should at least do it in a secure way.
> 
> The only reason currently tags are used instead of commit hashes is
> because there is no way to checkout a specific commit with the
> current implementation when the default value of
> 'treesit--install-language-grammar-full-clone' is nil.
> 
> > P.S.S. Do we need the list of grammars in build.sh under admin? It
> > duplicates what's in Lisp elsewhere in the tree.
> 
> Apparently no need, so they could be removed.
> 
> 
> 
> 

Message received at 78542 <at> debbugs.gnu.org:

Received: (at 78542) by debbugs.gnu.org; 22 May 2025 06:46:28 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Thu May 22 02:46:28 2025
Received: from localhost ([127.0.0.1]:59072 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uHzhD-0007PF-UE
	for submit <at> debbugs.gnu.org; Thu, 22 May 2025 02:46:28 -0400
Received: from relay9-d.mail.gandi.net ([2001:4b98:dc4:8::229]:53813)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <juri@HIDDEN>) id 1uHzgv-0007Lp-9Z
 for 78542 <at> debbugs.gnu.org; Thu, 22 May 2025 02:46:12 -0400
Received: by mail.gandi.net (Postfix) with ESMTPSA id 3DC2B439A6;
 Thu, 22 May 2025 06:45:59 +0000 (UTC)
From: Juri Linkov <juri@HIDDEN>
To: Daniel Colascione <dancol@HIDDEN>
Subject: Re: bug#78542: [Security] hash locking needed for tree-sitter
 downloads
In-Reply-To: <m1sekx7p7j.fsf@HIDDEN>
Organization: LINKOV.NET
References: <m1sekx7p7j.fsf@HIDDEN>
Date: Thu, 22 May 2025 09:36:57 +0300
Message-ID: <87o6vlxijm.fsf@HIDDEN>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/31.0.50 (x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain
X-GND-State: clean
X-GND-Score: -100
X-GND-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddtgdehvdejucdltddurdegfedvrddttddmucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuifetpfffkfdpucggtfgfnhhsuhgsshgtrhhisggvnecuuegrihhlohhuthemuceftddunecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenucfjughrpefhvfevufgjohhffffkfgggtgesthdtredttdertdenucfhrhhomheplfhurhhiucfnihhnkhhovhcuoehjuhhriheslhhinhhkohhvrdhnvghtqeenucggtffrrghtthgvrhhnpeffgeetfeevlefhleejfeeuheeiudeitdffhfdutdekfeffgffhveehteegueekheenucfkphepledurdduvdelrddutdefrddvjeenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeeluddruddvledruddtfedrvdejpdhhvghlohepmhgrihhlrdhgrghnughirdhnvghtpdhmrghilhhfrhhomhepjhhurhhisehlihhnkhhovhdrnhgvthdpnhgspghrtghpthhtohepfedprhgtphhtthhopeejkeehgedvseguvggssghughhsrdhgnhhurdhorhhgpdhrtghpthhtoheptggrshhouhhrihesghhmrghilhdrtghomhdprhgtphhtthhopegurghntgholhesuggrnhgtohhlrdhorhhg
X-GND-Sasl: juri@HIDDEN
X-Spam-Score: -0.7 (/)
X-Debbugs-Envelope-To: 78542
Cc: Yuan Fu <casouri@HIDDEN>, 78542 <at> debbugs.gnu.org
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -1.7 (-)

> When downloading code, a tag isn't good enough.  We should insist on a
> specific commit.
> [...]
> The entries in treesit-language-source-alist mostly have tags but not
> commit hashes.  The expected commit hash should be *mandatory*, because
> right now, anyone with access to one of these repositories can retarget
> any of those tags at malicious code.

Indeed, tags can be easily relocated to a different commit.

> Every other important language ecosystem has evolved some kind of "hash
> locking" capability for breaking the author-retargets-to-malware attack
> vector.  We should too.  We shouldn't allow the commit hash to be absent
> for ordinary users.

Agreed, "hash locking" should lock commit hashes, not tags.

> P.S. we've debated vendoring these grammars with Emacs.  I still think
> that's the right way to go.  But if we're going to download and build,
> we should at least do it in a secure way.

The only reason currently tags are used instead of commit hashes is
because there is no way to checkout a specific commit with the
current implementation when the default value of
'treesit--install-language-grammar-full-clone' is nil.

> P.S.S. Do we need the list of grammars in build.sh under admin? It
> duplicates what's in Lisp elsewhere in the tree.

Apparently no need, so they could be removed.

Message received at submit <at> debbugs.gnu.org:

Received: (at submit) by debbugs.gnu.org; 21 May 2025 19:12:55 +0000
From debbugs-submit-bounces <at> debbugs.gnu.org Wed May 21 15:12:55 2025
Received: from localhost ([127.0.0.1]:52694 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces <at> debbugs.gnu.org>)
	id 1uHos0-0005d2-Fd
	for submit <at> debbugs.gnu.org; Wed, 21 May 2025 15:12:54 -0400
Received: from lists.gnu.org ([2001:470:142::17]:38348)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <dancol@HIDDEN>) id 1uHorv-0005aq-7c
 for submit <at> debbugs.gnu.org; Wed, 21 May 2025 15:12:49 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <dancol@HIDDEN>) id 1uHoro-0006fz-Jr
 for bug-gnu-emacs@HIDDEN; Wed, 21 May 2025 15:12:41 -0400
Received: from dancol.org ([2600:3c01:e000:3d8::1])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <dancol@HIDDEN>) id 1uHorm-000730-9T
 for bug-gnu-emacs@HIDDEN; Wed, 21 May 2025 15:12:40 -0400
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dancol.org; 
 s=x;
 h=Content-Type:MIME-Version:Message-ID:Date:Subject:To:From:Sender:
 Reply-To:Cc:Content-Transfer-Encoding:Content-ID:Content-Description:
 Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:
 In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:
 List-Post:List-Owner:List-Archive;
 bh=b2THrs6fVAQN+uEKkkUcEOgpVwNxOaJ+lLTbnnjllQA=; b=MCHt+EqUbHex/THl+mlpQRGP1g
 cIckkNuz2Km9P8uGk6+SO56T+MOdLHsAAw4U+j8I/C3tJCAzm7kM3HrZPtdWZ+zreCmFndeXV0WoD
 gPeKSDJa8cqf+0l+2cmxRqC4Zwm9E2IpOGmVkn2bHLawhsW9z0AymGfRXnxXPwFEP4ckup8sAhW98
 XPfd2dp9CfljucXEajty3u2zsEzGAPJ56cYSUYn1irrP5PmoOGHMXUTxADsceKrxgboGzbqSEUChN
 lcpG+GesbAci3li0ui6pjup6eLyC1Sr7b39GP4dVmaj8MFhLrPPNMbk6adfoyOnB9UrctIZ+SZLNE
 2sbRLVag==;
Received: from dancol by dancol.org with local (Exim 4.96)
 (envelope-from <dancol@HIDDEN>) id 1uHoqe-00ACBP-0J
 for bug-gnu-emacs@HIDDEN; Wed, 21 May 2025 15:11:28 -0400
From: Daniel Colascione <dancol@HIDDEN>
To: bug-gnu-emacs@HIDDEN
Subject: [Security] hash locking needed for tree-sitter downloads
User-Agent: mu4e 1.12.10; emacs 31.0.50
Date: Wed, 21 May 2025 15:12:32 -0400
Message-ID: <m1sekx7p7j.fsf@HIDDEN>
MIME-Version: 1.0
Content-Type: text/plain
Received-SPF: pass client-ip=2600:3c01:e000:3d8::1;
 envelope-from=dancol@HIDDEN; helo=dancol.org
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_PASS=-0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 0.9 (/)
X-Debbugs-Envelope-To: submit
X-BeenThere: debbugs-submit <at> debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit <at> debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request <at> debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces <at> debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces <at> debbugs.gnu.org>
X-Spam-Score: -0.1 (/)

When downloading code, a tag isn't good enough.  We should insist on a
specific commit.

We have a fair bit of code in Emacs that looks like this:

(add-to-list
 'treesit-language-source-alist
 '(javascript "https://github.com/tree-sitter/tree-sitter-javascript" "v0.23.1")
 t)
(add-to-list
 'treesit-language-source-alist
 '(jsdoc "https://github.com/tree-sitter/tree-sitter-jsdoc" "v0.23.2")
 t)

The entries in treesit-language-source-alist mostly have tags but not
commit hashes.  The expected commit hash should be *mandatory*, because
right now, anyone with access to one of these repositories can retarget
any of those tags at malicious code.

See https://snyk.io/blog/npm-security-preventing-supply-chain-attacks/

Every other important language ecosystem has evolved some kind of "hash
locking" capability for breaking the author-retargets-to-malware attack
vector.  We should too.  We shouldn't allow the commit hash to be absent
for ordinary users.

P.S. we've debated vendoring these grammars with Emacs.  I still think
that's the right way to go.  But if we're going to download and build,
we should at least do it in a secure way.

P.S.S. Do we need the list of grammars in build.sh under admin? It
duplicates what's in Lisp elsewhere in the tree.