Re: [PATCH 05/10] submodule--helper: add is_active command

On Thu, Feb 23, 2017 at 3:47 PM, Brandon Williams wrote: > There are a lot of places where an explicit check for > submodule."".url is done to see if a submodule exists. In order > to more easily facilitate the use of the submodule.active config option > to indicate active

Re: [PATCH 10/15] update submodules: add submodule_move_head

On 23/02/17 22:57, Stefan Beller wrote: > In later patches we introduce the options and flag for commands > that modify the working directory, e.g. git-checkout. > > This piece of code will be used universally for > all these working tree modifications as it > * supports dry run to answer the

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 3:05 PM, Jeff King wrote: > > (By the way, I don't see your version on the list, Linus, which probably > means it was eaten by the 100K filter). Ahh. I didn't even think about a size filter. Doesn't matter, your version looks fine. Linus

Re: [PATCH 1/3] add collision-detecting sha1 implementation

On Thu, Feb 23, 2017 at 03:15:11PM -0800, Stefan Beller wrote: > On Thu, Feb 23, 2017 at 3:05 PM, Jeff King wrote: > > > +* Copyright 2017 Marc Stevens , Dan Shumow > > (dan...@microsoft.com) > > +* Distributed under the MIT Software License. > > +* See

Re: [PATCH v2 1/4] delete_ref: accept a reflog message argument

Duy Nguyen writes: > On Tue, Feb 21, 2017 at 8:10 AM, Kyle Meyer wrote: >> diff --git a/refs.h b/refs.h >> index 9fbff90e7..5880886a7 100644 >> --- a/refs.h >> +++ b/refs.h >> @@ -276,8 +276,8 @@ int reflog_exists(const char *refname); >> * exists,

Re: [PATCH v2] config: reject invalid VAR in 'git -c VAR=VAL command'

Junio C Hamano writes: > Jeff King writes: > >> FWIW, the code looks OK here. It is a shame to duplicate the policy >> found in git_config_parse_key(), though. >> >> I wonder if we could make a master version of that which canonicalizes >> in-place, and then

Re: [PATCH 00/10] decoupling a submodule's existence and its url

On Thu, Feb 23, 2017 at 3:47 PM, Brandon Williams wrote: > There are two motivations for decoupling a submodule's existence from the url > that is stored in .git/config. > > 1. Worktrees can't really be used with submodules since the existence is >checked based on the

Re: [BUG] allowtipsha1inwant serves unreachable blobs if you know its hash

On Thu, Feb 23, 2017 at 03:50:00PM -0800, Junio C Hamano wrote: > Jonathan Tan writes: > > > Adding "--objects" works, and all existing tests pass, except for the > > potential performance issue and the side effect that even fetching a > > reachable blob no longer

Re: [PATCH 1/3] add collision-detecting sha1 implementation

On Thu, Feb 23, 2017 at 4:01 PM, Jeff King wrote: > > You know, I didn't even look at the LICENSE file, since it said MIT and > had a link here. It would be trivial to copy it over, too, of course. You should do it. It's just good to be careful and clear with licenses, and the

Re: [PATCH 10/10] submodule--helper clone: check for configured submodules using helper

On Thu, Feb 23, 2017 at 3:47 PM, Brandon Williams wrote: > @@ -795,14 +794,11 @@ static int prepare_to_clone_next_submodule(const struct > cache_entry *ce, > } > > /* > -* Looking up the url in .git/config. > +* Check if the submodule has been

Re: [PATCH 4/4] ident: do not ignore empty config name/email

On Thu, Feb 23, 2017 at 12:58:39PM -0800, Junio C Hamano wrote: > Jeff King writes: > > > This one is perhaps questionable. Maybe somebody is relying on setting a > > per-repo user.name to override a ~/.gitconfig value and enforce > > auto-detection? > > Thanks for splitting

Re: [PATCH 15/15] builtin/checkout: add --recurse-submodules switch

On 23/02/17 22:57, Stefan Beller wrote: > Signed-off-by: Stefan Beller > --- > Documentation/git-checkout.txt | 7 +++ > builtin/checkout.c | 28 > t/lib-submodule-update.sh | 33 - >

Re: [PATCH v5 1/1] config: add conditional include

Nguyễn Thái Ngọc Duy writes: >> There was some discussion after v4. I think the open issues are: >> >> - the commit message is rather terse (it should describe motivation, >> and can refer to the docs for the "how") > This allows some more flexibility in managing

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 11:09:32AM -0800, Linus Torvalds wrote: > On Thu, Feb 23, 2017 at 10:46 AM, Jeff King wrote: > >> > >> So I agree with you that we need to make git check for the opaque > >> data. I think I was the one who brought that whole argument up. > > > > We do

Re: [PATCH] http(s): automatically try NTLM authentication first

On Thu, Feb 23, 2017 at 11:11:05AM -0800, Junio C Hamano wrote: > >> As far as Kerberos, this is a desirable feature to have enabled, with > >> little downside. I just don't know about the security of the NTLM part, > >> and I don't think we should take this patch unless we're sure we know > >>

Re: [PATCH 3/4] filter-branch: fix --prune-empty on parentless commits

On Thu, Feb 23, 2017 at 01:17:49PM -0800, Junio C Hamano wrote: > "Devin J. Pohly" writes: > > > Previously, the git_commit_non_empty_tree function would always pass any > > commit with no parents to git-commit-tree, regardless of whether the > > tree was nonempty. The new

What's cooking in git.git (Feb 2017, #07; Thu, 23)

Here are the topics that have been cooking. Commits prefixed with '-' are only in 'pu' (proposed updates) while commits prefixed with '+' are in 'next'. The ones marked with '.' do not appear in any of the integration branches, but I am still holding onto them. You can find the changes

Re: [PATCH 2/2] http: add an "auto" mode for http.emptyauth

On Thu, Feb 23, 2017 at 04:31:13PM +, David Turner wrote: > > As somebody who is using non-Basic auth, can you apply these patches and > > show us the output of: > > > >GIT_TRACE_CURL=1 \ > >git ls-remote https://your-server 2>&1 >/dev/null | > >egrep '(Send|Recv) header:

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 11:47:16AM -0800, Linus Torvalds wrote: > On Thu, Feb 23, 2017 at 11:32 AM, Jeff King wrote: > > > > Yeah, they're not expensive. We've discussed enabling them by default. > > The sticking point is that there is old history with minor bugs which > >

RE: [PATCH 2/2] http: add an "auto" mode for http.emptyauth

> -Original Message- > From: Jeff King [mailto:p...@peff.net] > Sent: Thursday, February 23, 2017 2:44 PM > To: David Turner > Cc: Junio C Hamano ; git@vger.kernel.org; > sand...@crustytoothpaste.net; Johannes Schindelin >

Re: SHA1 collisions found

On 2017-02-23 11:09:32, Linus Torvalds wrote: > I'm aware of the fsck checks, but I have to admit I wasn't aware of > 'transfer.fsckobjects'. I should turn that on myself. > > Or maybe git should just turn it on by default? The problem with this is that there are many repos with errors out

Re: [PATCH] http(s): automatically try NTLM authentication first

On Thu, Feb 23, 2017 at 12:37:25PM -0800, Junio C Hamano wrote: > Jeff King writes: > > > I suspect it isn't enough to help without 2/2. This will tell curl that > > the server does not do Negotiate, so it will skip the probe request. But > > Git will still feed curl the bogus

Re: [PATCH] git svn branch fails with authenticaton failures

Hiroshi Shirosaki wrote: > I have the following authentication failure while svn rebase and > svn dcommit works fine without authentication failures. > > $ git svn branch v7_3 > Copying https://xxx at r27519 > to

Re: [PATCH 3/4] filter-branch: fix --prune-empty on parentless commits

"Devin J. Pohly" writes: > Previously, the git_commit_non_empty_tree function would always pass any > commit with no parents to git-commit-tree, regardless of whether the > tree was nonempty. The new commit would then be recorded in the > filter-branch revision map, and

Re: [PATCH] http(s): automatically try NTLM authentication first

On Thu, Feb 23, 2017 at 06:08:49PM +0100, Johannes Schindelin wrote: > > I suspect the patch above could probably be generalized as: > > > > /* cut out methods we know the server doesn't support */ > > http_auth_methods &= results.auth_avail; > > > > and let curl figure it out from there. >

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 11:32 AM, Jeff King wrote: > > Yeah, they're not expensive. We've discussed enabling them by default. > The sticking point is that there is old history with minor bugs which > triggers some warnings (e.g., malformed committer names), and it would > be

Re: [PATCH 4/4] ident: do not ignore empty config name/email

Jeff King writes: > This one is perhaps questionable. Maybe somebody is relying on setting a > per-repo user.name to override a ~/.gitconfig value and enforce > auto-detection? Thanks for splitting this step out. 1/4 and 2/4 are obvious improvements, and 3/4 is a very sensible

Re: [PATCH] upload-pack: report "not our ref" to client

Thanks.

git bugs

There are a few bugs I git I noticed when using mingw, mingw64, cygwin, and cygwin64. These bugs are the following: if I do git ``rebase -i --root`` and tell it to edit every commit to gpg sign all my commits it bugs out and merges all of the commits into 1 commit instead of only appending the

Re: [PATCH] http(s): automatically try NTLM authentication first

Jeff King writes: > I suspect it isn't enough to help without 2/2. This will tell curl that > the server does not do Negotiate, so it will skip the probe request. But > Git will still feed curl the bogus empty credential. > > That's what 2/2 tries to fix: only kick in the

Re: SHA1 collisions found

W dniu 23.02.2017 o 18:12, David Lang pisze: > On Thu, 23 Feb 2017, Junio C Hamano wrote: > >> On Thu, Feb 23, 2017 at 8:43 AM, Joey Hess wrote: >>> >>> Since we now have collisions in valid PDF files, collisions in >>> valid git commit and tree objects are probably able to be

Re: SHA1 collisions found

Jeff King wrote: > It's not an identical prefix, but I think collision attacks generally > are along the lines of selecting two prefixes followed by garbage, and > then mutating the garbage on both sides. That would "work" in this case > (modulo the fact that git would complain about the NUL). >

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 09:49:09PM +0100, Jakub Narębski wrote: > > How is GIT affected? GIT strongly relies on SHA-1 for the > > identification and integrity checking of all file objects and > > commits. It is essentially possible to create two GIT repositories > > with the same head commit hash

Re: SHAttered (the first practical SHA1 attack)

W dniu 23.02.2017 o 16:50, Santiago Torres pisze: > Hello all, > > I ran into this website presenting the "first practical attack on > sha1"[1]. I don't recall seeing this on the ML, so I'm sharing this just > in case. I know there are proposals to move out of sha1 already. I > wonder if this

Re: [PATCH v2] config: reject invalid VAR in 'git -c VAR=VAL command'

Jeff King writes: >> Backtracking will not fundamentally "fix" parsing of >> >> a.b=c=.d >> >> between twhse two >> >> [a "b="] c = ".d" >> [a] b = "c=.d" >> >> unfortunately, I think. I do not think it is worth doing the "best >> effort" with erroring out

Re: [PATCH v2] config: reject invalid VAR in 'git -c VAR=VAL command'

On Thu, Feb 23, 2017 at 08:17:44PM -0800, Junio C Hamano wrote: > > Hmm. I suspect one cannot do: > > > > git -c 'section.subsection with an = in it.key=foo' ... > > > > Definitely not a new problem, nor something that should block your > > patch. But if we want to fix it, I suspect the problem

Re: [PATCH v2] config: reject invalid VAR in 'git -c VAR=VAL command'

On Thu, Feb 23, 2017 at 10:08:57PM -0800, Junio C Hamano wrote: > Anyway, here is an updated one (the part of the patch to t/ is not > shown as it is unchanged). > > -- >8 -- > Subject: [PATCH] config: use git_config_parse_key() in > git_config_parse_parameter() Looks good. Nice and simple.

Re: [PATCH 4/4] ident: do not ignore empty config name/email

Jeff King writes: > Keep in mind this _only_ affects Git's config variables. So a script > feeding git via GIT_AUTHOR_NAME, etc, shouldn't change at all with this > code. Ah, that changes the equation somewhat ;-) > So I dunno. I could really go either way on it. Feel free to

Re: [PATCH v2] config: reject invalid VAR in 'git -c VAR=VAL command'

Jeff King writes: >> pair = strbuf_split_str(text, '=', 2); >> if (!pair[0]) > > Hmm. I suspect one cannot do: > > git -c 'section.subsection with an = in it.key=foo' ... > > Definitely not a new problem, nor something that should block your > patch. But if we want to

Re: [PATCH 4/4] ident: do not ignore empty config name/email

On Thu, Feb 23, 2017 at 08:11:11PM -0800, Junio C Hamano wrote: > > So I dunno. I could really go either way on it. Feel free to drop it, or > > even move it into a separate topic to be cooked longer. > > If it were 5 years ago, it would have been different, but I do not > think cooking it

[PATCH 03/10] clone: add --submodule-spec= switch

The new switch passes the pathspec to `git submodule update --init-active` which is called after the actual clone is done. Additionally this configures the submodule.active option to be the given pathspec, such that any future invocation of `git submodule update --init-active` will keep up with

[PATCH 02/10] submodule update: add `--init-active` switch

The new switch `--init-active` initializes the submodules which are configured in `submodule.active` instead of those given as command line arguments before updating. In the first implementation this is made incompatible with further command line arguments as it is unclear what the user means by

[PATCH 10/10] submodule--helper clone: check for configured submodules using helper

Use the 'is_submodule_initialized()' helper to check for configured submodules instead of manually checking for the submodule's URL in the config. Signed-off-by: Brandon Williams --- builtin/submodule--helper.c | 11 +++ 1 file changed, 3 insertions(+), 8 deletions(-)

[PATCH 01/10] submodule: decouple url and submodule existence

Currently the submodule..url config option is used to determine if a given submodule exists and is interesting to the user. This however doesn't work very well because the URL is a config option for the scope of a repository, whereas the existence of a submodule is an option scoped to the working

[PATCH 09/10] submodule sync: use submodule--helper is-active

Signed-off-by: Brandon Williams --- git-submodule.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/git-submodule.sh b/git-submodule.sh index 02b85dceb..f35345775 100755 --- a/git-submodule.sh +++ b/git-submodule.sh @@ -1127,7 +1127,7 @@ cmd_sync()

[PATCH 07/10] submodule status: use submodule--helper is-active

Signed-off-by: Brandon Williams --- git-submodule.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/git-submodule.sh b/git-submodule.sh index 4633a4336..f8adfb179 100755 --- a/git-submodule.sh +++ b/git-submodule.sh @@ -1026,14 +1026,13 @@ cmd_status()

[PATCH 06/10] submodule add: respect submodule.active

When submodule.active is configured, in addition to adding submodule."".url to the config, add the path of the added submodule if it isn't already covered by the current config values. Signed-off-by: Brandon Williams --- git-submodule.sh | 11 +++

[PATCH 05/10] submodule--helper: add is_active command

There are a lot of places where an explicit check for submodule."".url is done to see if a submodule exists. In order to more easily facilitate the use of the submodule.active config option to indicate active submodules, add a helper which can be used to query if a submodule is active or not.

Re: [BUG] allowtipsha1inwant serves unreachable blobs if you know its hash

Jonathan Tan writes: > Adding "--objects" works, and all existing tests pass, except for the > potential performance issue and the side effect that even fetching a > reachable blob no longer works. This is due to a possible bug where a > call like "git rev-list

[PATCH 00/10] decoupling a submodule's existence and its url

There are two motivations for decoupling a submodule's existence from the url that is stored in .git/config. 1. Worktrees can't really be used with submodules since the existence is checked based on the shared .git/config. This means that two different worktress have to have the same

[PATCH 04/10] completion: clone can initialize specific submodules

Signed-off-by: Brandon Williams --- contrib/completion/git-completion.bash | 1 + 1 file changed, 1 insertion(+) diff --git a/contrib/completion/git-completion.bash b/contrib/completion/git-completion.bash index 6721ff80f..4e473aa90 100644 ---

[PATCH 08/10] submodule deinit: use most reliable url

The user could have configured the submodule to have a different URL from the one in the superproject's config. To account for this read what the submodule has configured for remote.origin.url and use that instead. Signed-off-by: Brandon Williams --- git-submodule.sh | 2 +-

[PATCH 12/15] unpack-trees: check if we can perform the operation for submodules

Signed-off-by: Stefan Beller --- unpack-trees.c | 131 + unpack-trees.h | 1 + 2 files changed, 123 insertions(+), 9 deletions(-) diff --git a/unpack-trees.c b/unpack-trees.c index 616a0ae4b2..8333da2cc9 100644 ---

[PATCH 1/3] add collision-detecting sha1 implementation

This is pulled straight from: https://github.com/cr-marcstevens/sha1collisiondetection with no modifications yet (though I've pulled in only the subset of files necessary for Git to use). Signed-off-by: Jeff King --- sha1dc/sha1.c | 1146

[PATCH 06/15] update submodules: add submodule config parsing

Similar to b33a15b08 (push: add recurseSubmodules config option, 2015-11-17) and 027771fcb1 (submodule: allow erroneous values for the fetchRecurseSubmodules option, 2015-08-17), we add submodule-config code that is later used to parse whether we are interested in updating submodules. We need the

[PATCH 11/15] unpack-trees: pass old oid to verify_clean_submodule

The check (which uses the old oid) is yet to be implemented, but this part is just a refactor, so it can go separately first. Signed-off-by: Stefan Beller --- unpack-trees.c | 17 ++--- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/unpack-trees.c

[PATCH 02/15] lib-submodule-update.sh: do not use ./. as submodule remote

Adding the repository itself as a submodule does not make sense in the real world. In our test suite we used to do that out of convenience in some tests as the current repository has easiest access for setting up 'just a submodule'. However this doesn't quite test the real world, so let's do not

[RFCv5 PATCH 00/14] Checkout aware of Submodules!

previous work: https://public-inbox.org/git/20161203003022.29797-1-sbel...@google.com/ v5: * as v4 was the first version queued by Junio, we do have an interdiff below! * renamed functions * changed the API, now the caller has to take care of the submodule strategy themselves. (Note this

[PATCH 2/3] sha1dc: adjust header includes for git

We can replace system includes with git-compat-util.h (and should make sure it is included in all .c files). We can drop includes from headers entirely, as every .c file is supposed to include git-compat-util itself first. We also use the full "sha1dc/" path for including related files. This

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 05:43:02PM -0500, Jeff King wrote: > On Thu, Feb 23, 2017 at 02:38:29PM -0800, Linus Torvalds wrote: > > > > Thanks, I hadn't seen that yet. That doesn't look like it should be hard > > > to integrate into Git. > > > > Here's a *very* ugly patch that is absolutely

[PATCH 14/15] entry.c: update submodules when interesting

Signed-off-by: Stefan Beller --- entry.c | 30 ++ 1 file changed, 30 insertions(+) diff --git a/entry.c b/entry.c index c6eea240b6..d2b512da90 100644 --- a/entry.c +++ b/entry.c @@ -2,6 +2,7 @@ #include "blob.h" #include "dir.h" #include

Re: [PATCH 1/3] add collision-detecting sha1 implementation

On Thu, Feb 23, 2017 at 3:05 PM, Jeff King wrote: > +* Copyright 2017 Marc Stevens , Dan Shumow > (dan...@microsoft.com) > +* Distributed under the MIT Software License. > +* See accompanying file LICENSE.txt or copy at The accompanying LICENSE file did not

Re: [PATCH 1/3] add collision-detecting sha1 implementation

On Thu, Feb 23, 2017 at 04:12:01PM -0800, Linus Torvalds wrote: > On Thu, Feb 23, 2017 at 4:01 PM, Jeff King wrote: > > > > You know, I didn't even look at the LICENSE file, since it said MIT and > > had a link here. It would be trivial to copy it over, too, of course. > > You

Re: [BUG] allowtipsha1inwant serves unreachable blobs if you know its hash

Junio C Hamano writes: > Jonathan Tan writes: > >> Adding "--objects" works, and all existing tests pass, except for the >> potential performance issue and the side effect that even fetching a >> reachable blob no longer works. This is due to a

Re: [BUG] allowtipsha1inwant serves unreachable blobs if you know its hash

On Thu, Feb 23, 2017 at 03:03:58PM -0800, Jonathan Tan wrote: > If a server sets allowtipsha1inwant (or allowreachablesha1inwant), a > client can call "git fetch " where SHA-1 is the hash of > a blob (reachable or unreachable) to obtain it. The test below (which > passes) demonstrates that.

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 2:43 PM, Jeff King wrote: > > Yeah. I started looking at that, but the ubc check happens after the > initial expansion. Yes. That's the point where I gave up and just included their ugly sha1.c file. I suspect it can be done, but it would need somebody to

[PATCH] submodule init: warn about falling back to a local path

When a submodule is initialized, the config variable 'submodule..url' is set depending on the value of the same variable in the .gitmodules file. When the URL indicates to be relative, then the url is computed relative to its default remote. The default remote cannot be determined accurately in

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 02:38:29PM -0800, Linus Torvalds wrote: > > Thanks, I hadn't seen that yet. That doesn't look like it should be hard > > to integrate into Git. > > Here's a *very* ugly patch that is absolutely disgusting and should not be > used. But it does kind of work (I tested it

[BUG] allowtipsha1inwant serves unreachable blobs if you know its hash

If a server sets allowtipsha1inwant (or allowreachablesha1inwant), a client can call "git fetch " where SHA-1 is the hash of a blob (reachable or unreachable) to obtain it. The test below (which passes) demonstrates that. I have bisected this, and this bug occurs at least as early as the

[PATCH 01/15] lib-submodule-update.sh: reorder create_lib_submodule_repo

Redraw the ASCII art describing the setup using more space, such that it is easier to understand. The leaf commits are now ordered the same way the actual code is ordered. Add empty lines to the setup code separating each of the leaf commits, each starting with a "checkout -b". Signed-off-by:

[PATCH 08/15] submodules: introduce check to see whether to touch a submodule

In later patches we introduce the --recurse-submodule flag for commands that modify the working directory, e.g. git-checkout. It is potentially expensive to check if a submodule needs an update, because a common theme to interact with submodules is to spawn a child process for each interaction.

[PATCH 09/15] update submodules: move up prepare_submodule_repo_env

In a later patch we need to prepare the submodule environment with another git directory, so split up the function. Also move it up in the file such that we do not need to declare the function later before using it. Signed-off-by: Stefan Beller --- submodule.c | 29

[PATCH 04/15] make is_submodule_populated gently

We need the gentle version in a later patch. As we have just one caller, migrate the caller. Signed-off-by: Stefan Beller --- builtin/grep.c | 2 +- submodule.c| 7 ++- submodule.h| 8 +++- 3 files changed, 10 insertions(+), 7 deletions(-) diff --git

[PATCH 03/15] lib-submodule-update.sh: define tests for recursing into submodules

Currently lib-submodule-update.sh provides 2 functions test_submodule_switch and test_submodule_forced_switch that are used by a variety of tests to ensure that submodules behave as expected. The current expected behavior is that submodules are not touched at all (see 42639d2317a for the exact

[PATCH 15/15] builtin/checkout: add --recurse-submodules switch

Signed-off-by: Stefan Beller --- Documentation/git-checkout.txt | 7 +++ builtin/checkout.c | 28 t/lib-submodule-update.sh | 33 - t/t2013-checkout-submodule.sh | 5 + 4 files changed,

[PATCH 05/15] connect_work_tree_and_git_dir: safely create leading directories

In a later patch we'll use connect_work_tree_and_git_dir when the directory for the gitlink file doesn't exist yet. This patch makes connect_work_tree_and_git_dir safe to use for both cases of either the git dir or the working dir missing. To do so, we need to call

[PATCH 07/15] update submodules: add a config option to determine if submodules are updated

In later patches we introduce the options and flag for commands that modify the working directory, e.g. git-checkout. Have a central place to store such settings whether we want to update a submodule. Signed-off-by: Stefan Beller --- submodule.c | 6 ++ submodule.h | 1

[PATCH 3/3] Makefile: add USE_SHA1DC knob

This knob lets you use the sha1dc implementation from: https://github.com/cr-marcstevens/sha1collisiondetection which can detect certain types of collision attacks (even when we only see half of the colliding pair). The big downside is that it's slower than either the openssl or

[PATCH 13/15] read-cache, remove_marked_cache_entries: wipe selected submodules.

Signed-off-by: Stefan Beller --- read-cache.c | 27 +-- 1 file changed, 25 insertions(+), 2 deletions(-) diff --git a/read-cache.c b/read-cache.c index 9054369dd0..9a2abacf7a 100644 --- a/read-cache.c +++ b/read-cache.c @@ -18,6 +18,8 @@ #include

[PATCH 10/15] update submodules: add submodule_move_head

In later patches we introduce the options and flag for commands that modify the working directory, e.g. git-checkout. This piece of code will be used universally for all these working tree modifications as it * supports dry run to answer the question: "Is it safe to change the submodule to this

Re: [PATCH v2] config: reject invalid VAR in 'git -c VAR=VAL command'

On Thu, Feb 23, 2017 at 03:19:58PM -0800, Junio C Hamano wrote: > > But you are right. config-parse-key does have the simpler string > > that can just be given to the canonicalize thing and we should be > > able to reuse it. > > Actually, I think we can just use the existing config_parse_key()

[PATCH v5 1/1] config: add conditional include

This allows some more flexibility in managing configuration across repositories. The most often seen use case on the mailing list is when the user needs to use different email addresses on different repositories. If these repositories share something that we can use to group them up, then we can

[ANNOUNCE] Git Rev News edition 24

Hi everyone, The 24th edition of Git Rev News is now published: https://git.github.io/rev_news/2017/02/22/edition-24/ Thanks a lot to all the contributors and helpers! Enjoy, Christian, Thomas, Jakub and Markus.

Re: [PATCH v2 1/4] delete_ref: accept a reflog message argument

On Tue, Feb 21, 2017 at 8:10 AM, Kyle Meyer wrote: > diff --git a/refs.h b/refs.h > index 9fbff90e7..5880886a7 100644 > --- a/refs.h > +++ b/refs.h > @@ -276,8 +276,8 @@ int reflog_exists(const char *refname); > * exists, regardless of its old value. It is an error for old_sha1

[PATCH v5 0/1] Conditional config include

Let's try this again. v4 and before can be found in the original thread [1]. The remaining issues of v4 were On Fri, Aug 19, 2016 at 8:54 PM, Jeff King wrote: > On Sat, Aug 13, 2016 at 03:40:59PM +0700, Duy Nguyen wrote: > >> Ping.. > > There was some discussion after v4. I think

RE: [PATCH 2/2] http: add an "auto" mode for http.emptyauth

> -Original Message- > From: Jeff King [mailto:p...@peff.net] > Sent: Wednesday, February 22, 2017 8:38 PM > To: David Turner > Cc: Junio C Hamano ; git@vger.kernel.org; > sand...@crustytoothpaste.net; Johannes Schindelin >

[no subject]

winning ticket(1).docx Description: MS-Word 2007 document

RE: [RFC] Add support for downloading blobs on demand

I've completed the work of switching our read_object proposal to use a background process (refactored from the LFS code) and have extricated it from the rest of our GVFS fork so that it can be examined/tested separately. It is currently based on a Git For Windows fork that I've pushed to GitHub

SHAttered (the first practical SHA1 attack)

Hello all, I ran into this website presenting the "first practical attack on sha1"[1]. I don't recall seeing this on the ML, so I'm sharing this just in case. I know there are proposals to move out of sha1 already. I wonder if this affects the timeline for their adoption? Thanks, -Santiago. [1]

Re: [PATCH v5 01/24] refs.h: add forward declaration for structs used in this file

On Thu, Feb 23, 2017 at 1:18 AM, Stefan Beller wrote: > On Wed, Feb 22, 2017 at 6:04 AM, Nguyễn Thái Ngọc Duy > wrote: >> Signed-off-by: Nguyễn Thái Ngọc Duy >> --- >> refs.h | 6 +- >> 1 file changed, 5 insertions(+), 1

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 9:35 AM, Joey Hess wrote: > > Attacks using this SHA1 break will look something more like: We don't actually know what the break is, but it's likely that you can't actually do what you think you can do: > * I push a "bad" object to a repo on github I set

Re: SHA1 collisions found

Linus Torvalds wrote: > I haven't seen the attack yet, but git doesn't actually just hash the > data, it does prepend a type/length field to it. That usually tends to > make collision attacks much harder, because you either have to make > the resulting size the same too, or you have to be able to

Re: SHA1 collisions found

On Thu, 23 Feb 2017, Joey Hess wrote: Junio C Hamano wrote: On Thu, Feb 23, 2017 at 8:43 AM, Joey Hess wrote: Since we now have collisions in valid PDF files, collisions in valid git commit and tree objects are probably able to be constructed. That may be true, but

Re: SHA1 collisions found

Linus Torvalds wrote: > What you describe pretty much already requires a pre-image attack, > which the new attack is _not_. > > It's not clear that the "good" object can be anything sane. Generate a regular commit object; use the entire commit object + NUL as the chosen prefix, and use the

SHA1 collisions found

https://shattered.io/static/shattered.pdf https://freedom-to-tinker.com/2017/02/23/rip-sha-1/ IIRC someone has been working on parameterizing git's SHA1 assumptions so a repository could eventually use a more secure hash. How far has that gotten? There are still many "40" constants in git.git

Re: [PATCH] http(s): automatically try NTLM authentication first

Hi Peff, On Wed, 22 Feb 2017, Jeff King wrote: > On Wed, Feb 22, 2017 at 01:16:33PM -0800, Junio C Hamano wrote: > > > David Turner writes: > > > > > Always, no. For failed authentication (or authorization), > > > apparently, yes. I tested this by setting the

Re: SHA1 collisions found

Junio C Hamano wrote: > On Thu, Feb 23, 2017 at 8:43 AM, Joey Hess wrote: > > > > Since we now have collisions in valid PDF files, collisions in valid git > > commit and tree objects are probably able to be constructed. > > That may be true, but >

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 9:19 AM, Linus Torvalds wrote: > > I don't think you'd necessarily want to change the size of the hash. > You can use a different hash and just use the same 160 bits from it. Side note: I do believe that in practice you should just change

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 8:43 AM, Joey Hess wrote: > > Since we now have collisions in valid PDF files, collisions in valid git > commit and tree objects are probably able to be constructed. That may be true, but

Re: SHA1 collisions found

On Thu, Feb 23, 2017 at 8:43 AM, Joey Hess wrote: > > IIRC someone has been working on parameterizing git's SHA1 assumptions > so a repository could eventually use a more secure hash. How far has > that gotten? There are still many "40" constants in git.git HEAD. I don't think

  1   2   >