Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-09 Thread Michael J Gruber
Junio C Hamano venit, vidit, dixit 08.06.2016 20:43: > Santiago Torres writes: > >> Sorry I'm trying to follow this. Would it be best to then have >> >> verify-tag [--check-name=tagname] (tag-ref|tag-name|sha1)? >> >> and >> >> tag -v [--check-name] (tag-name) >> >> Or

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-08 Thread Junio C Hamano
Santiago Torres writes: > Sorry I'm trying to follow this. Would it be best to then have > > verify-tag [--check-name=tagname] (tag-ref|tag-name|sha1)? > > and > > tag -v [--check-name] (tag-name) > > Or would --format still work better? No matter what you do, don't

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-08 Thread Santiago Torres
On Tue, Jun 07, 2016 at 03:35:07PM -0700, Junio C Hamano wrote: > On Tue, Jun 7, 2016 at 3:29 PM, Jeff King wrote: > > or even: > > > > git tag --show-tag-name foo/v1.0 > > > > when refs/remotes/foo/v1.0 exists? > > > > The rule right now is generally that "git tag" takes actual

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Junio C Hamano
On Tue, Jun 7, 2016 at 3:29 PM, Jeff King wrote: > or even: > > git tag --show-tag-name foo/v1.0 > > when refs/remotes/foo/v1.0 exists? > > The rule right now is generally that "git tag" takes actual tag names. Ahh, I forgot about that. Yes, indeed the command does not work like

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Jeff King
On Tue, Jun 07, 2016 at 03:21:48PM -0700, Junio C Hamano wrote: > Jeff King writes: > > > If you are suggesting that you can do the whole thing today by parsing > > the tag object yourself, then sure, I agree. I thought the point of the > > exercise was to make that less painful

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Junio C Hamano
Jeff King writes: > If you are suggesting that you can do the whole thing today by parsing > the tag object yourself, then sure, I agree. I thought the point of the > exercise was to make that less painful for the callers. Yes, and I somehow thought everybody agreed that

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Santiago Torres
On Tue, Jun 07, 2016 at 06:13:25PM -0400, Jeff King wrote: > On Tue, Jun 07, 2016 at 03:11:47PM -0700, Junio C Hamano wrote: > > > On Tue, Jun 7, 2016 at 3:07 PM, Jeff King wrote: > > >> > > >> Puzzled. I didn't even use --format=%(tagname) in the above. > > > > > > No, but you

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Jeff King
On Tue, Jun 07, 2016 at 03:11:47PM -0700, Junio C Hamano wrote: > On Tue, Jun 7, 2016 at 3:07 PM, Jeff King wrote: > >> > >> Puzzled. I didn't even use --format=%(tagname) in the above. > > > > No, but you used --show-tagname, which does not exist today (and which > > IMHO should

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Jeff King
On Tue, Jun 07, 2016 at 03:05:50PM -0700, Junio C Hamano wrote: > Jeff King writes: > > > On Tue, Jun 07, 2016 at 02:50:23PM -0700, Junio C Hamano wrote: > > > >> >> Or it could even do this: > >> >> > >> >> tag="$1" > >> >> if ! git tag -v "$tag" > >> >>

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Junio C Hamano
Jeff King writes: > On Tue, Jun 07, 2016 at 02:50:23PM -0700, Junio C Hamano wrote: > >> >> Or it could even do this: >> >> >> >> tag="$1" >> >> if ! git tag -v "$tag" >> >> if ! git tag -v "$tag" >> >> then >> >> echo >&2 "Bad tag." >> >>

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Jeff King
On Tue, Jun 07, 2016 at 02:50:23PM -0700, Junio C Hamano wrote: > >> Or it could even do this: > >> > >>tag="$1" > >>if ! git tag -v "$tag" > >>if ! git tag -v "$tag" > >> then > >>echo >&2 "Bad tag." > >> exit 1 > >>fi > >> + tag=$(git tag

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Junio C Hamano
Jeff King writes: > git tag -v --format='%(tag)%n%(tagger)' > > or similar. In fact you can already do that with a separate step (modulo > %n, which we do not seem to understand here), but like your example: Yes, "--format=%(tag)" is all that is needed to make the example work.

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Santiago Torres
On Tue, Jun 07, 2016 at 05:08:56PM -0400, Jeff King wrote: > On Tue, Jun 07, 2016 at 03:56:08PM -0400, santi...@nyu.edu wrote: > > > diff --git a/tag.c b/tag.c > > index d1dcd18..591b31e 100644 > > --- a/tag.c > > +++ b/tag.c > > @@ -55,6 +55,14 @@ int gpg_verify_tag(const unsigned char *sha1,

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Santiago Torres
On Tue, Jun 07, 2016 at 05:17:07PM -0400, Jeff King wrote: > That is much more flexible, as they could even do some more complicated > matching than a single string (though in practice, for security things, > I think simpler is better). > > I think this option is going to become a blueprint for

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Santiago Torres
On Tue, Jun 07, 2016 at 02:05:20PM -0700, Junio C Hamano wrote: > santi...@nyu.edu writes: > > > 1.- Using a tag ref as a check-out mechanism is pretty common by package > > managers and other tools. Verifying the tag signature provides > > authentication guarantees, but there is no

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Jeff King
On Tue, Jun 07, 2016 at 05:13:14PM -0400, Santiago Torres wrote: > > 2. What do we do for non-annotated tags? Is it always a failure? > > Right now, verify-tag fails with non-annotated tags like this: > > santiago at ~/.../git ✔ ./git-verify-tag master > error: master: cannot verify

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Jeff King
On Tue, Jun 07, 2016 at 02:05:20PM -0700, Junio C Hamano wrote: > It is true that "git cat-file tag v1.4.11" lets you examine all > lines of a given tag object, but the calling program needs to pick > pieces apart with something like: > > git cat-file tag v1.4.11 | sed -e '/^$/q' -e

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Jeff King
On Tue, Jun 07, 2016 at 03:56:08PM -0400, santi...@nyu.edu wrote: > diff --git a/tag.c b/tag.c > index d1dcd18..591b31e 100644 > --- a/tag.c > +++ b/tag.c > @@ -55,6 +55,14 @@ int gpg_verify_tag(const unsigned char *sha1, const char > *name_to_report, > > ret = run_gpg_verify(buf, size,

Re: [RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread Junio C Hamano
santi...@nyu.edu writes: > 1.- Using a tag ref as a check-out mechanism is pretty common by package > managers and other tools. Verifying the tag signature provides > authentication guarantees, but there is no feedback that the > signature being verified belongs to the intended tag.

[RFC/PATCH] verify-tag: add --check-name flag

2016-06-07 Thread santiago
From: Santiago Torres Hello everyone, In a previous thread [1] we discussed about the possibility of having a --check-name flag, for the tag-verify command (and possibly git tag -v). Although many points were in the table, I don't think that it was conclusive as to whether