<feed xmlns='http://www.w3.org/2005/Atom'>
<title>git/commit.c, branch v2.26.3</title>
<subtitle>Mirror of https://git.kernel.org/pub/scm/git/git.git/
</subtitle>
<id>https://git.shady.money/git/atom?h=v2.26.3</id>
<link rel='self' href='https://git.shady.money/git/atom?h=v2.26.3'/>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/'/>
<updated>2020-02-17T21:22:17Z</updated>
<entry>
<title>Merge branch 'rs/strbuf-insertstr'</title>
<updated>2020-02-17T21:22:17Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2020-02-17T21:22:17Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=9f3f38769d49255d3fbf97f35a0dec591de17db3'/>
<id>urn:sha1:9f3f38769d49255d3fbf97f35a0dec591de17db3</id>
<content type='text'>
Code clean-up.

* rs/strbuf-insertstr:
  mailinfo: don't insert header prefix for handle_content_type()
  strbuf: add and use strbuf_insertstr()
</content>
</entry>
<entry>
<title>strbuf: add and use strbuf_insertstr()</title>
<updated>2020-02-10T17:04:45Z</updated>
<author>
<name>René Scharfe</name>
<email>l.s.r@web.de</email>
</author>
<published>2020-02-09T13:44:23Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=a91cc7fad0d48984135abe2fb70c41db61b500c5'/>
<id>urn:sha1:a91cc7fad0d48984135abe2fb70c41db61b500c5</id>
<content type='text'>
Add a function for inserting a C string into a strbuf.  Use it
throughout the source to get rid of magic string length constants and
explicit strlen() calls.

Like strbuf_addstr(), implement it as an inline function to avoid the
implicit strlen() calls to cause runtime overhead.

Helped-by: Taylor Blau &lt;me@ttaylorr.com&gt;
Helped-by: Eric Sunshine &lt;sunshine@sunshineco.com&gt;
Signed-off-by: René Scharfe &lt;l.s.r@web.de&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>gpg-interface: add minTrustLevel as a configuration option</title>
<updated>2020-01-15T22:06:06Z</updated>
<author>
<name>Hans Jerry Illikainen</name>
<email>hji@dyntopia.com</email>
</author>
<published>2019-12-27T13:55:57Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=54887b46890582e60fcb8ee1f287f62870c2ac0f'/>
<id>urn:sha1:54887b46890582e60fcb8ee1f287f62870c2ac0f</id>
<content type='text'>
Previously, signature verification for merge and pull operations checked
if the key had a trust-level of either TRUST_NEVER or TRUST_UNDEFINED in
verify_merge_signature().  If that was the case, the process die()d.

The other code paths that did signature verification relied entirely on
the return code from check_commit_signature().  And signatures made with
a good key, irregardless of its trust level, was considered valid by
check_commit_signature().

This difference in behavior might induce users to erroneously assume
that the trust level of a key in their keyring is always considered by
Git, even for operations where it is not (e.g. during a verify-commit or
verify-tag).

The way it worked was by gpg-interface.c storing the result from the
key/signature status *and* the lowest-two trust levels in the `result`
member of the signature_check structure (the last of these status lines
that were encountered got written to `result`).  These are documented in
GPG under the subsection `General status codes` and `Key related`,
respectively [1].

The GPG documentation says the following on the TRUST_ status codes [1]:

    """
    These are several similar status codes:

    - TRUST_UNDEFINED &lt;error_token&gt;
    - TRUST_NEVER     &lt;error_token&gt;
    - TRUST_MARGINAL  [0  [&lt;validation_model&gt;]]
    - TRUST_FULLY     [0  [&lt;validation_model&gt;]]
    - TRUST_ULTIMATE  [0  [&lt;validation_model&gt;]]

    For good signatures one of these status lines are emitted to
    indicate the validity of the key used to create the signature.
    The error token values are currently only emitted by gpgsm.
    """

My interpretation is that the trust level is conceptionally different
from the validity of the key and/or signature.  That seems to also have
been the assumption of the old code in check_signature() where a result
of 'G' (as in GOODSIG) and 'U' (as in TRUST_NEVER or TRUST_UNDEFINED)
were both considered a success.

The two cases where a result of 'U' had special meaning were in
verify_merge_signature() (where this caused git to die()) and in
format_commit_one() (where it affected the output of the %G? format
specifier).

I think it makes sense to refactor the processing of TRUST_ status lines
such that users can configure a minimum trust level that is enforced
globally, rather than have individual parts of git (e.g. merge) do it
themselves (except for a grace period with backward compatibility).

I also think it makes sense to not store the trust level in the same
struct member as the key/signature status.  While the presence of a
TRUST_ status code does imply that the signature is good (see the first
paragraph in the included snippet above), as far as I can tell, the
order of the status lines from GPG isn't well-defined; thus it would
seem plausible that the trust level could be overwritten with the
key/signature status if they were stored in the same member of the
signature_check structure.

This patch introduces a new configuration option: gpg.minTrustLevel.  It
consolidates trust-level verification to gpg-interface.c and adds a new
`trust_level` member to the signature_check structure.

Backward-compatibility is maintained by introducing a special case in
verify_merge_signature() such that if no user-configurable
gpg.minTrustLevel is set, then the old behavior of rejecting
TRUST_UNDEFINED and TRUST_NEVER is enforced.  If, on the other hand,
gpg.minTrustLevel is set, then that value overrides the old behavior.

Similarly, the %G? format specifier will continue show 'U' for
signatures made with a key that has a trust level of TRUST_UNDEFINED or
TRUST_NEVER, even though the 'U' character no longer exist in the
`result` member of the signature_check structure.  A new format
specifier, %GT, is also introduced for users that want to show all
possible trust levels for a signature.

Another approach would have been to simply drop the trust-level
requirement in verify_merge_signature().  This would also have made the
behavior consistent with other parts of git that perform signature
verification.  However, requiring a minimum trust level for signing keys
does seem to have a real-world use-case.  For example, the build system
used by the Qubes OS project currently parses the raw output from
verify-tag in order to assert a minimum trust level for keys used to
sign git tags [2].

[1] https://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob;f=doc/doc/DETAILS;h=bd00006e933ac56719b1edd2478ecd79273eae72;hb=refs/heads/master
[2] https://github.com/QubesOS/qubes-builder/blob/9674c1991deef45b1a1b1c71fddfab14ba50dccf/scripts/verify-git-tag#L43

Signed-off-by: Hans Jerry Illikainen &lt;hji@dyntopia.com&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'jk/cleanup-object-parsing-and-fsck'</title>
<updated>2019-12-01T17:04:28Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2019-12-01T17:04:28Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=0e07c1cd83535cf3a20d3d961a41bb4a627ce4e5'/>
<id>urn:sha1:0e07c1cd83535cf3a20d3d961a41bb4a627ce4e5</id>
<content type='text'>
Crufty code and logic accumulated over time around the object
parsing and low-level object access used in "git fsck" have been
cleaned up.

* jk/cleanup-object-parsing-and-fsck: (23 commits)
  fsck: accept an oid instead of a "struct tree" for fsck_tree()
  fsck: accept an oid instead of a "struct commit" for fsck_commit()
  fsck: accept an oid instead of a "struct tag" for fsck_tag()
  fsck: rename vague "oid" local variables
  fsck: don't require an object struct in verify_headers()
  fsck: don't require an object struct for fsck_ident()
  fsck: drop blob struct from fsck_finish()
  fsck: accept an oid instead of a "struct blob" for fsck_blob()
  fsck: don't require an object struct for report()
  fsck: only require an oid for skiplist functions
  fsck: only provide oid/type in fsck_error callback
  fsck: don't require object structs for display functions
  fsck: use oids rather than objects for object_name API
  fsck_describe_object(): build on our get_object_name() primitive
  fsck: unify object-name code
  fsck: require an actual buffer for non-blobs
  fsck: stop checking tag-&gt;tagged
  fsck: stop checking commit-&gt;parent counts
  fsck: stop checking commit-&gt;tree value
  commit, tag: don't set parsed bit for parse failures
  ...
</content>
</entry>
<entry>
<title>Merge branch 'pw/post-commit-from-sequencer'</title>
<updated>2019-11-10T09:02:12Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2019-11-10T09:02:12Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=5c8c0a0d78b0e0ee50ba13823f0cfbee05334461'/>
<id>urn:sha1:5c8c0a0d78b0e0ee50ba13823f0cfbee05334461</id>
<content type='text'>
"rebase -i" ceased to run post-commit hook by mistake in an earlier
update, which has been corrected.

* pw/post-commit-from-sequencer:
  sequencer: run post-commit hook
  move run_commit_hook() to libgit and use it there
  sequencer.h fix placement of #endif
  t3404: remove uneeded calls to set_fake_editor
  t3404: set $EDITOR in subshell
  t3404: remove unnecessary subshell
</content>
</entry>
<entry>
<title>commit, tag: don't set parsed bit for parse failures</title>
<updated>2019-10-28T05:04:49Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2019-10-25T21:20:20Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=228c78fbd42b58ebf43477290432c149358b04b1'/>
<id>urn:sha1:228c78fbd42b58ebf43477290432c149358b04b1</id>
<content type='text'>
If we can't parse a commit, then parse_commit() will return an error
code. But it _also_ sets the "parsed" flag, which tells us not to bother
trying to re-parse the object. That means that subsequent parses have no
idea that the information in the struct may be bogus.  I.e., doing this:

  parse_commit(commit);
  ...
  if (parse_commit(commit) &lt; 0)
          die("commit is broken");

will never trigger the die(). The second parse_commit() will see the
"parsed" flag and quietly return success.

There are two obvious ways to fix this:

  1. Stop setting "parsed" until we've successfully parsed.

  2. Keep a second "corrupt" flag to indicate that we saw an error (and
     when the parsed flag is set, return 0/-1 depending on the corrupt
     flag).

This patch does option 1. The obvious downside versus option 2 is that
we might continually re-parse a broken object. But in practice,
corruption like this is rare, and we typically die() or return an error
in the caller. So it's OK not to worry about optimizing for corruption.
And it's much simpler: we don't need to use an extra bit in the object
struct, and callers which check the "parsed" flag don't need to learn
about the corrupt bit, too.

There's no new test here, because this case is already covered in t5318.
Note that we do need to update the expected message there, because we
now detect the problem in the return from "parse_commit()", and not with
a separate check for a NULL tree. In fact, we can now ditch that
explicit tree check entirely, as we're covered robustly by this change
(and the previous recent change to treat a NULL tree as a parse error).

We'll also give tags the same treatment. I don't know offhand of any
cases where the problem can be triggered (it implies somebody ignoring a
parse error earlier in the process), but consistently returning an error
should cause the least surprise.

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>parse_commit_buffer(): treat lookup_tree() failure as parse error</title>
<updated>2019-10-21T02:15:23Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2019-10-18T04:43:29Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=12736d2f027c72d4c900f10ae064d2a673344c9e'/>
<id>urn:sha1:12736d2f027c72d4c900f10ae064d2a673344c9e</id>
<content type='text'>
If parsing a commit yields a valid tree oid, but we've seen that same
oid as a non-tree in the same process, the resulting commit struct will
end up with a NULL tree pointer, but not otherwise report a parsing
failure.

That's perhaps convenient for callers which want to operate on even
partially corrupt commits (e.g., by still looking at the parents). But
it leaves a potential trap for most callers, who now have to manually
check for a NULL tree. Most do not, and it's likely that there are
possible segfaults lurking. I say "possible" because there are many
candidates, and I don't think it's worth following through on
reproducing them when we can just fix them all in one spot. And
certainly we _have_ seen real-world cases, such as the one fixed by
806278dead (commit-graph.c: handle corrupt/missing trees, 2019-09-05).

Note that we can't quite drop the check in the caller added by that
commit yet, as there's some subtlety with repeated parsings (which will
be addressed in a future commit).

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>parse_commit_buffer(): treat lookup_commit() failure as parse error</title>
<updated>2019-10-21T02:15:23Z</updated>
<author>
<name>Jeff King</name>
<email>peff@peff.net</email>
</author>
<published>2019-10-18T04:42:13Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=c78fe00459d49cd57cbfabc5c564af0cb9a934f1'/>
<id>urn:sha1:c78fe00459d49cd57cbfabc5c564af0cb9a934f1</id>
<content type='text'>
While parsing the parents of a commit, if we are able to parse an actual
oid but lookup_commit() fails on it (because we previously saw it in
this process as a different object type), we silently omit the parent
and do not report any error to the caller.

The caller has no way of knowing this happened, because even an empty
parent list is a valid parse result. As a result, it's possible to fool
our "rev-list" connectivity check into accepting a corrupted set of
objects.

There's a test for this case already in t6102, but unfortunately it has
a slight error. It creates a broken commit with a parent line pointing
to a blob, and then checks that rev-list notices the problem in two
cases:

  1. the "lone" case: we traverse the broken commit by itself (here we
     try to actually load the blob from disk and find out that it's not
     a commit)

  2. the "seen" case: we parse the blob earlier in the process, and then
     when calling lookup_commit() we realize immediately that it's not a
     commit

The "seen" variant for this test mistakenly parsed another commit
instead of the blob, meaning that we were actually just testing the
"lone" case again. Changing that reveals the breakage (and shows that
this fixes it).

Signed-off-by: Jeff King &lt;peff@peff.net&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>move run_commit_hook() to libgit and use it there</title>
<updated>2019-10-16T01:30:51Z</updated>
<author>
<name>Phillip Wood</name>
<email>phillip.wood@dunelm.org.uk</email>
</author>
<published>2019-10-15T10:25:31Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=49697cb72122cf84b44111124821c9a4bcba3ab6'/>
<id>urn:sha1:49697cb72122cf84b44111124821c9a4bcba3ab6</id>
<content type='text'>
This function was declared in commit.h but was implemented in
builtin/commit.c so was not part of libgit. Move it to libgit so we can
use it in the sequencer. This simplifies the implementation of
run_prepare_commit_msg_hook() and will be used in the next commit.

Signed-off-by: Phillip Wood &lt;phillip.wood@dunelm.org.uk&gt;
Signed-off-by: Junio C Hamano &lt;gitster@pobox.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'tb/commit-graph-harden'</title>
<updated>2019-10-07T02:32:58Z</updated>
<author>
<name>Junio C Hamano</name>
<email>gitster@pobox.com</email>
</author>
<published>2019-10-07T02:32:58Z</published>
<link rel='alternate' type='text/html' href='https://git.shady.money/git/commit/?id=80693e3f09ab80cfe4a5a83467e765626ad0b15a'/>
<id>urn:sha1:80693e3f09ab80cfe4a5a83467e765626ad0b15a</id>
<content type='text'>
The code to parse and use the commit-graph file has been made more
robust against corrupted input.

* tb/commit-graph-harden:
  commit-graph.c: handle corrupt/missing trees
  commit-graph.c: handle commit parsing errors
  t/t5318: introduce failing 'git commit-graph write' tests
</content>
</entry>
</feed>
