Skip to content

Bump git2 to 0.15 and libgit2-sys to 0.14#11004

Merged
bors merged 2 commits intorust-lang:masterfrom
jonhoo:bump-git2
Aug 27, 2022
Merged

Bump git2 to 0.15 and libgit2-sys to 0.14#11004
bors merged 2 commits intorust-lang:masterfrom
jonhoo:bump-git2

Conversation

@jonhoo
Copy link
Contributor

@jonhoo jonhoo commented Aug 17, 2022

This will allow cargo to avoid vendored builds of git2 in up-to-date
environments going forward, and brings in the libgit2 1.4.4 CVE fix.

Bump git2 to 0.15 and libgit2-sys to 0.14
30fe22b 
This will allow cargo to avoid vendored builds of git2 in up-to-date
environments going forward, and brings in the [libgit2 1.4.4 CVE fix].

[libgit2 1.4.4 CVE fix]: https://github.com/libgit2/libgit2/releases/tag/v1.4.4
@rust-highfive
Copy link

rust-highfive commented Aug 17, 2022

r? @weihanglo

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Aug 17, 2022
@ehuss
Copy link
Contributor

ehuss commented Aug 17, 2022

I think to move forward with this cargo will need to call libgit2_sys::set_verify_owner_validation(false) in order to disable owner validation. We don't need that for security (cargo doesn't do discovery in any way that is a concern) and there are scenarios where it will trigger in typical environments.

@jonhoo
Copy link
Contributor Author

jonhoo commented Aug 17, 2022

Ah, yes, I remember from the discussion in rust-lang/rfcs#3279. Will update!

@jonhoo
Copy link
Contributor Author

jonhoo commented Aug 17, 2022

One issue with setting that is that it's a global property. Which means that if someone has a project that uses git2 separately from cargo, but also runs cargo, then operations they do with git2 will also not have the owner check applied, which is probably unexpected. We could set it before each git operation and reset it after, though that feels brittle and racy. I wish it were possible to configure this option per repository...

@jonhoo
Copy link
Contributor Author

jonhoo commented Aug 17, 2022

There's git_repository_open_ext, but the flags it supports don't include the owner check.

@jonhoo
Copy link
Contributor Author

jonhoo commented Aug 17, 2022

Having now dug through the libgit2 PR that introduced the ownership check, libgit2/libgit2#6266, I don't see a way around this. Either we have to disable the check globally in something like cargo::Config::new, or we have to surround every call to git2::Repository::open (or ::init? or ::clone?) with a disable + do + enable dance which still risks racing with other (non-Cargo) code to allow opening a repository there with the check unexpectedly disabled.

@ehuss
Copy link
Contributor

ehuss commented Aug 17, 2022

I was thinking it can be called from init_git_transports or somewhere around there on the binary side. That shouldn't affect cargo-lib users, and I believe is the only safe place to do it since it is an unprotected global.

@jonhoo
Copy link
Contributor Author

jonhoo commented Aug 17, 2022

We could do that, although it would mean that anyone using Cargo as a library would need to know to explicitly call that method themselves too. We could perhaps add a method like Config::globally_disable_git_ownership_verification so that consumers will at least a) not have to add git2 as a direct dependency and b) hopefully discover that this is something they may need to call?

@jonhoo
Copy link
Contributor Author

jonhoo commented Aug 17, 2022

One option might be to set the ceiling directories, which can be done per open, but as far as I can tell from the implementation that doesn't actually bypass the check either?

@weihanglo
Copy link
Member

weihanglo commented Aug 21, 2022

We could perhaps add a method like Config::globally_disable_git_ownership_verification

This sounds lovely to me. And I believe people will eventually find it. As Cargo lib users, they must be accustomed to breakages between versions sometimes. (Sorry about that 😅)

@epage epage mentioned this pull request Aug 23, 2022
Closed
weihanglo
weihanglo approved these changes Aug 27, 2022
View reviewed changes
Copy link
Member

@weihanglo weihanglo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am going to merge this. Thanks for the pull request.

If @ehuss or anyone still concerns with this, feel free to comment.

@weihanglo
Copy link
Member

weihanglo commented Aug 27, 2022

@bors r+

@bors
Copy link
Contributor

bors commented Aug 27, 2022

📌 Commit 222e0e5 has been approved by weihanglo

It is now in the queue for this repository.

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Aug 27, 2022
@bors
Copy link
Contributor

bors commented Aug 27, 2022

⌛ Testing commit 222e0e5 with merge e5ec3a8...

@weihanglo weihanglo added the relnotes Release-note worthy label Aug 27, 2022
@weihanglo
Copy link
Member

weihanglo commented Aug 27, 2022

I feel like this worth mentioning in release note, at least for library user?

@bors
Copy link
Contributor

bors commented Aug 27, 2022

☀️ Test successful - checks-actions
Approved by: weihanglo
Pushing e5ec3a8 to master...

@bors bors merged commit e5ec3a8 into rust-lang:master Aug 27, 2022
@weihanglo weihanglo removed the relnotes Release-note worthy label Aug 27, 2022
@weihanglo weihanglo mentioned this pull request Aug 29, 2022
Merged
bors pushed a commit to rust-lang-ci/rust that referenced this pull request Aug 29, 2022
@weihanglo
Update cargo
ae1764c 
5 commits in 6da726708a4406f31f996d813790818dce837161..4ed54cecce3ce9ab6ff058781f4c8a500ee6b8b5
2022-08-23 21:39:56 +0000 to 2022-08-27 18:41:39 +0000
- doc: pause, for readability (rust-lang/cargo#11027)
- Bump git2 to 0.15 and libgit2-sys to 0.14 (rust-lang/cargo#11004)
- Fix typo (rust-lang/cargo#11025)
- Update cargo-toml-vs-cargo-lock.md (rust-lang/cargo#11021)
- Apply GitHub fast path even for partial hashes (rust-lang/cargo#10807)
bors added a commit to rust-lang-ci/rust that referenced this pull request Aug 29, 2022
@bors
Auto merge of rust-lang#101147 - weihanglo:update-cargo, r=Mark-Simul…
fcc2bdd 
…acrum

Update cargo

5 commits in 6da726708a4406f31f996d813790818dce837161..4ed54cecce3ce9ab6ff058781f4c8a500ee6b8b5
2022-08-23 21:39:56 +0000 to 2022-08-27 18:41:39 +0000
- doc: pause, for readability (rust-lang/cargo#11027)
- Bump git2 to 0.15 and libgit2-sys to 0.14 (rust-lang/cargo#11004)
- Fix typo (rust-lang/cargo#11025)
- Update cargo-toml-vs-cargo-lock.md (rust-lang/cargo#11021)
- Apply GitHub fast path even for partial hashes (rust-lang/cargo#10807)
@jonhoo
Copy link
Contributor Author

jonhoo commented Aug 31, 2022

I agree this should be mentioned in relnotes!

@jonhoo jonhoo deleted the bump-git2 branch August 31, 2022 00:27
@ehuss ehuss added this to the 1.65.0 milestone Aug 31, 2022
@ehuss
Copy link
Contributor

ehuss commented Aug 31, 2022

fwiw, I always include libgit2 bumps in the Cargo changelog. But I don't think this needs to be in the Rust release notes, does it? Are you concerned that third-party packages that link to the cargo API might run into problems here?

@jonhoo
Copy link
Contributor Author

jonhoo commented Aug 31, 2022

Oh, sorry, I thought relnotes was the Cargo release notes, not the Rust release notes. I agree with you it probably doesn't need to be in the Rust release notes.

I will point out that this bump means that libgit2 will now be built from source for anyone without a fairly recent libgit2 installed locally, which may cause some headache (it did for me), but that should only hit a small number of entities I suspect.

@ehuss
Copy link
Contributor

ehuss commented Aug 31, 2022

Ah. Ok, I'll untag the relnotes. That label is only for RELEASES.md.

@ehuss
Copy link
Contributor

ehuss commented Aug 31, 2022

Oh, it was already removed. I was confused. 😄

RalfJung pushed a commit to RalfJung/rust-analyzer that referenced this pull request Apr 20, 2024
@bors
Auto merge of #101147 - weihanglo:update-cargo, r=Mark-Simulacrum
8a8c32a 
Update cargo

5 commits in 6da726708a4406f31f996d813790818dce837161..4ed54cecce3ce9ab6ff058781f4c8a500ee6b8b5
2022-08-23 21:39:56 +0000 to 2022-08-27 18:41:39 +0000
- doc: pause, for readability (rust-lang/cargo#11027)
- Bump git2 to 0.15 and libgit2-sys to 0.14 (rust-lang/cargo#11004)
- Fix typo (rust-lang/cargo#11025)
- Update cargo-toml-vs-cargo-lock.md (rust-lang/cargo#11021)
- Apply GitHub fast path even for partial hashes (rust-lang/cargo#10807)
RalfJung pushed a commit to RalfJung/rust-analyzer that referenced this pull request Apr 27, 2024
@bors
Auto merge of #101147 - weihanglo:update-cargo, r=Mark-Simulacrum
9fe1af6 
Update cargo

5 commits in 6da726708a4406f31f996d813790818dce837161..4ed54cecce3ce9ab6ff058781f4c8a500ee6b8b5
2022-08-23 21:39:56 +0000 to 2022-08-27 18:41:39 +0000
- doc: pause, for readability (rust-lang/cargo#11027)
- Bump git2 to 0.15 and libgit2-sys to 0.14 (rust-lang/cargo#11004)
- Fix typo (rust-lang/cargo#11025)
- Update cargo-toml-vs-cargo-lock.md (rust-lang/cargo#11021)
- Apply GitHub fast path even for partial hashes (rust-lang/cargo#10807)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weihanglo weihanglo weihanglo approved these changes

Assignees

@weihanglo weihanglo

Labels

S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.

Projects

None yet

Milestone

1.65.0

Development

Successfully merging this pull request may close these issues.

5 participants

@jonhoo @rust-highfive @ehuss @weihanglo @bors