Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fetchgit for submodules should be able to fetch arbitrary refs #4760

Open
timbertson opened this issue May 2, 2021 · 2 comments
Open

Fetchgit for submodules should be able to fetch arbitrary refs #4760

timbertson opened this issue May 2, 2021 · 2 comments

Comments

@timbertson
Copy link
Contributor

Fetchgit generally can't resolve a detached commit, and requires you to give it a ref under which the desired commit can be found.

As far as I can tell, this is for two reasons:

Technical: git can't efficiently fetch an arbitrary ref

The technical issue appears to be resolved. @edolstra explained in 2008 that while git can in theory support it, github doesn't so it's a nonstarter:

$ git fetch https://github.com/nixos/nixpkgs-channels 01f5e794913a18494642b5f237bd76c054339d61
error: Server does not allow request for unadvertised object 01f5e794913a18494642b5f237bd76c054339d61

However, running this today, it does work fine:

$ git fetch https://github.com/nixos/nixpkgs-channels 01f5e794913a18494642b5f237bd76c054339d61
remote: Enumerating objects: 1069606, done.
remote: Total 1069606 (delta 0), reused 0 (delta 0), pack-reused 1069606
Receiving objects: 100% (1069606/1069606), 348.40 MiB | 5.67 MiB/s, done.
Resolving deltas: 100% (752564/752564), done.
From https://github.com/nixos/nixpkgs-channels
 * branch                    01f5e794913a18494642b5f237bd76c054339d61 -> FETCH_HEAD

So evidently github enabled this support sometime in the last few years.

"it may be a security risk"

This is described in the source itself:

https://github.com/NixOS/nixpkgs/blob/c116c5f89ff8d8825505f1b6c40856c0c717c6f8/pkgs/build-support/fetchgit/default.nix#L27-L30

I'd love clarification on what the risk is. I'm guessing that the risk relates to misplaced trust. e.g. if I submit a PR somewhere to update nixos/nixpkgs to MY_COOL_SHA, the current restrictions mean this will only evaluate if that SHA is reachable via the main branch (or the explicitly listed branch), which gives reviewers confidence that I'm not bumping nixpkgs to some random commit on a test branch.

If that's the problem, then I think we can still relax the restriction when fetching submodules. Presumably the original commit is the thing we need to trust, if it references submodules by commit then those can be assumed to be as trustworthy as the original commit itself.

(I care about this because I'm battling a repo with submodules referencing a branch that looks like it's been rebased, so it's impossible to fetch historical versions 😢 )
@timbertson timbertson mentioned this issue May 2, 2021
Closed
@timbertson
Copy link
Contributor Author

Oof, sorry. This should be a nixpkgs issue, are you able to move it easily or should I open a new one?

I don't know if builtins.fetchgit with submodule support would work for this case, it seems to still be unreleased unless I'm missing something 🤔

@stale
Copy link

stale bot commented Oct 30, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the stale label Oct 30, 2021
@kilianar kilianar mentioned this issue Jul 6, 2022
Closed
@stale stale bot removed the stale label Dec 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@timbertson @fricklerhandwerk