git@vger.kernel.org mailing list mirror (one of many)
 help / Atom feed
* Re: Subscribing Apple people to git-security@googlegroups.com
       [not found] <CAGba+=U4nbxL2uuSxyqyZqiiavJpo_E=GhUkipz6DczLdmnkgQ@mail.gmail.com>
@ 2018-07-02 19:50 ` Jeff King
       [not found]   ` <91A9F3A0-5F3F-4137-9A40-CB42EDE4F243@apple.com>
  2018-07-10 13:24   ` Johannes Schindelin
  0 siblings, 2 replies; 9+ messages in thread
From: Jeff King @ 2018-07-02 19:50 UTC (permalink / raw)
  To: Christian Couder
  Cc: Jonathan Nieder, Jeremy Huddleston Sequoia, Tim Triemstra, Eliran Mesika

On Mon, Jul 02, 2018 at 09:29:41PM +0200, Christian Couder wrote:

> When people complained a month ago about the MacOS package on
> https://git-scm.com/ not being up-to-date after the Git security
> release, I got in touch with Apple people GitLab has been working with
> to see if they could help on this.

Unfortunately I don't think this will quite solve the issue we had, just
because people get their copy of Git in various ways. So Homebrew
updated pretty promptly, but people going to git-scm.com to find a
binary package were left without help. Likewise, this will help people
getting Git as part of XCode, but not people gettin the package from
git-scm.com.

All that said, I'm happy to get as many binary packagers into the loop
as early as possible. It can only help, even if it doesn't solve all
problems. :)

> Please add these addresses to the git-security mailing list:
>     jeremyhu@apple.com
>     akilsrin@apple.com
>     dt-epm@group.apple.com

Done.

> Please add these GitHub accounts to the cabal repo:
>     jeremyhu

Done.

>     productsecurityOSSapple

I couldn't find that account. Is it maybe a team name within the apple
org or something?

> I am also personally very happy with the Apple developers' willingness
> to get involved and help.

Yes, welcome aboard!

I hope that maybe they're also interested in reducing the overall diff
between upstream Git and what ships with XCode. Last time I looked
(which was admittedly a while ago), a lot of the changes seemed like
things that could probably be considered upstream.

-Peff

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Subscribing Apple people to git-security@googlegroups.com
       [not found]     ` <9AE01C9B-7D10-45F2-8910-1607A19DF722@apple.com>
@ 2018-07-02 21:17       ` Jeff King
  0 siblings, 0 replies; 9+ messages in thread
From: Jeff King @ 2018-07-02 21:17 UTC (permalink / raw)
  To: Akilsrin
  Cc: Jeremy Huddleston Sequoia, Christian Couder, Jonathan Nieder,
	Tim Triemstra, Eliran Mesika

On Mon, Jul 02, 2018 at 01:58:21PM -0700, Akilsrin wrote:

> Could “ProdsecOSS " <prodsecoss@apple.com> also be added to the
> git-security mailing list. It’s another account I control to ensure my
> team and I track open source bugs.
> 
> The git repo: could you add https://github.com/product-security-OSS
> <https://github.com/product-security-OSS> and
> https://github.com/Akilsrin <https://github.com/Akilsrin> to the
> GitHub cabal repo please.

Done, done, and done.

-Peff

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Subscribing Apple people to git-security@googlegroups.com
       [not found]   ` <91A9F3A0-5F3F-4137-9A40-CB42EDE4F243@apple.com>
       [not found]     ` <9AE01C9B-7D10-45F2-8910-1607A19DF722@apple.com>
@ 2018-07-03 13:36     ` Jeff King
  2018-07-03 15:48       ` Jonathan Nieder
  2018-07-10 12:27       ` Ævar Arnfjörð Bjarmason
  1 sibling, 2 replies; 9+ messages in thread
From: Jeff King @ 2018-07-03 13:36 UTC (permalink / raw)
  To: Jeremy Huddleston Sequoia
  Cc: Akilsrin, Christian Couder, Jonathan Nieder, Tim Triemstra,
	Eliran Mesika

On Mon, Jul 02, 2018 at 01:15:19PM -0700, Jeremy Huddleston Sequoia wrote:

> > I hope that maybe they're also interested in reducing the overall
> > diff between upstream Git and what ships with XCode. Last time I
> > looked (which was admittedly a while ago), a lot of the changes
> > seemed like things that could probably be considered upstream.
> 
> I'm very very interested in having reduced differences between what we
> ship in Xcode and what is upstream.  I've been maintaining a repo with
> our patches that I rebase as we move forward, in the hope that these
> changes might be useful to others and a derivative of them might
> eventually be accepted upstream.  See
> https://github.com/jeremyhu/git/commits/master for the current set of
> changes that are in our shipping git (currently on top of 2.17.1).

Thanks for sharing. Skimming over it, I see:

 - several of the changes look related to run-time relocation. There was
   a series that shipped in v2.18.0 related to this, so that may reduce
   your diff once you rebase.

 - The xcode_gitattributes() bits aren't likely to go upstream as-is.
   But possibly these could ship as a default $sysconfdir/gitattributes?

 - the rest look like assorted little fixes that probably could go
   upstream

-Peff

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Subscribing Apple people to git-security@googlegroups.com
  2018-07-03 13:36     ` Jeff King
@ 2018-07-03 15:48       ` Jonathan Nieder
  2018-07-03 16:01         ` Jeff King
  2018-07-10 12:27       ` Ævar Arnfjörð Bjarmason
  1 sibling, 1 reply; 9+ messages in thread
From: Jonathan Nieder @ 2018-07-03 15:48 UTC (permalink / raw)
  To: Jeff King
  Cc: Jeremy Huddleston Sequoia, Akilsrin, Christian Couder,
	Tim Triemstra, Eliran Mesika

Administrivia: do you mind if I bounce these messages to some archived
list, either git@vger.kernel.org or git-security?  Or if we'd prefer
to avoid the noise from that, do you mind if I work with Eric Wong to
get them injected in the https://public-inbox.org/ archive?

Hi,

Jeff King wrote:
> On Mon, Jul 02, 2018 at 01:15:19PM -0700, Jeremy Huddleston Sequoia wrote:

>> I'm very very interested in having reduced differences between what we
>> ship in Xcode and what is upstream.
[...]
> Thanks for sharing. Skimming over it, I see:
>
>  - several of the changes look related to run-time relocation. There was
>    a series that shipped in v2.18.0 related to this, so that may reduce
>    your diff once you rebase.
>
>  - The xcode_gitattributes() bits aren't likely to go upstream as-is.
>    But possibly these could ship as a default $sysconfdir/gitattributes?
>
>  - the rest look like assorted little fixes that probably could go
>    upstream

I agree with Peff's assessment.  I'd also like to emphasize that
upstream is happy to see an [FYI/PATCH] when you have a divergence,
which would provide a thread to reply to to figure out whether there's
some generalization that is suitable for upstream.  (For example,
maybe we want some Makefile knob to allow setting some baked-in
attributes.)

Thanks,
Jonathan

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Subscribing Apple people to git-security@googlegroups.com
  2018-07-03 15:48       ` Jonathan Nieder
@ 2018-07-03 16:01         ` Jeff King
  2018-07-09 22:48           ` Jonathan Nieder
  0 siblings, 1 reply; 9+ messages in thread
From: Jeff King @ 2018-07-03 16:01 UTC (permalink / raw)
  To: Jonathan Nieder
  Cc: Jeremy Huddleston Sequoia, Akilsrin, Christian Couder,
	Tim Triemstra, Eliran Mesika

On Tue, Jul 03, 2018 at 08:48:14AM -0700, Jonathan Nieder wrote:

> Administrivia: do you mind if I bounce these messages to some archived
> list, either git@vger.kernel.org or git-security?  Or if we'd prefer
> to avoid the noise from that, do you mind if I work with Eric Wong to
> get them injected in the https://public-inbox.org/ archive?

I don't mind at all. I'm actually going to work later today on preparing
other messages from the security list to go to the public-inbox.org
archive, so that might pave the way.

-Peff

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Subscribing Apple people to git-security@googlegroups.com
  2018-07-03 16:01         ` Jeff King
@ 2018-07-09 22:48           ` Jonathan Nieder
  0 siblings, 0 replies; 9+ messages in thread
From: Jonathan Nieder @ 2018-07-09 22:48 UTC (permalink / raw)
  To: Jeff King
  Cc: Jeremy Huddleston Sequoia, Akilsrin, Christian Couder,
	Tim Triemstra, Eliran Mesika, git

+git@vger
Jeff King wrote:
> On Tue, Jul 03, 2018 at 08:48:14AM -0700, Jonathan Nieder wrote:

>> Administrivia: do you mind if I bounce these messages to some archived
>> list, either git@vger.kernel.org or git-security?  Or if we'd prefer
>> to avoid the noise from that, do you mind if I work with Eric Wong to
>> get them injected in the https://public-inbox.org/ archive?
>
> I don't mind at all. I'm actually going to work later today on preparing
> other messages from the security list to go to the public-inbox.org
> archive, so that might pave the way.

Thanks, done.

This doesn't work as a trial run for
https://public-inbox.org/meta/20180703160910.GB51821@aiede.svl.corp.google.com,
since I just bounced the mails.  So it won't work for threads like the
326-message thread you mentioned, but it should work in more modest
cases.

It seems that vger only delivered some of the messages.  I suspect
it's related to DMARC.

Jonathan

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Subscribing Apple people to git-security@googlegroups.com
  2018-07-03 13:36     ` Jeff King
  2018-07-03 15:48       ` Jonathan Nieder
@ 2018-07-10 12:27       ` Ævar Arnfjörð Bjarmason
  2018-07-10 18:54         ` Jeremy Huddleston Sequoia
  1 sibling, 1 reply; 9+ messages in thread
From: Ævar Arnfjörð Bjarmason @ 2018-07-10 12:27 UTC (permalink / raw)
  To: Jeff King
  Cc: Jeremy Huddleston Sequoia, Akilsrin, Christian Couder,
	Jonathan Nieder, Tim Triemstra, Eliran Mesika, Git Mailing List

On Tue, Jul 3, 2018 at 3:36 PM, Jeff King <peff@peff.net> wrote:
> On Mon, Jul 02, 2018 at 01:15:19PM -0700, Jeremy Huddleston Sequoia wrote:
>
>> > I hope that maybe they're also interested in reducing the overall
>> > diff between upstream Git and what ships with XCode. Last time I
>> > looked (which was admittedly a while ago), a lot of the changes
>> > seemed like things that could probably be considered upstream.
>>
>> I'm very very interested in having reduced differences between what we
>> ship in Xcode and what is upstream.  I've been maintaining a repo with
>> our patches that I rebase as we move forward, in the hope that these
>> changes might be useful to others and a derivative of them might
>> eventually be accepted upstream.  See
>> https://github.com/jeremyhu/git/commits/master for the current set of
>> changes that are in our shipping git (currently on top of 2.17.1).
>
> Thanks for sharing. Skimming over it, I see:
>
>  - several of the changes look related to run-time relocation. There was
>    a series that shipped in v2.18.0 related to this, so that may reduce
>    your diff once you rebase.
>
>  - The xcode_gitattributes() bits aren't likely to go upstream as-is.
>    But possibly these could ship as a default $sysconfdir/gitattributes?
>
>  - the rest look like assorted little fixes that probably could go
>    upstream

Jeremy, could you elaborate on what
https://github.com/jeremyhu/git/commit/61b42bc5d2 was about? I.e.
where was this discussed & tests for this refused?

Seems sensible to me to have this in some form, but the test as-is
seems to be a general regression test, not Apple-specific, so it would
need to be changed somewhat, or does it only happen with some other
custom patch of yours?

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Subscribing Apple people to git-security@googlegroups.com
  2018-07-02 19:50 ` Subscribing Apple people to git-security@googlegroups.com Jeff King
       [not found]   ` <91A9F3A0-5F3F-4137-9A40-CB42EDE4F243@apple.com>
@ 2018-07-10 13:24   ` Johannes Schindelin
  1 sibling, 0 replies; 9+ messages in thread
From: Johannes Schindelin @ 2018-07-10 13:24 UTC (permalink / raw)
  To: Jeff King
  Cc: Christian Couder, Jonathan Nieder, Jeremy Huddleston Sequoia,
	Tim Triemstra, Eliran Mesika

Hi Peff,

On Mon, 2 Jul 2018, Jeff King wrote:

> On Mon, Jul 02, 2018 at 09:29:41PM +0200, Christian Couder wrote:
> 
> > When people complained a month ago about the MacOS package on
> > https://git-scm.com/ not being up-to-date after the Git security
> > release, I got in touch with Apple people GitLab has been working with
> > to see if they could help on this.
> 
> Unfortunately I don't think this will quite solve the issue we had, just
> because people get their copy of Git in various ways. So Homebrew
> updated pretty promptly, but people going to git-scm.com to find a
> binary package were left without help. Likewise, this will help people
> getting Git as part of XCode, but not people gettin the package from
> git-scm.com.

Indeed. The fix for that would be to automate those official Git for macOS
builds. I suggested exactly that to Tim:
https://github.com/gitgitgadget/git/pull/7#issuecomment-403820169

Ciao,
Dscho

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: Subscribing Apple people to git-security@googlegroups.com
  2018-07-10 12:27       ` Ævar Arnfjörð Bjarmason
@ 2018-07-10 18:54         ` Jeremy Huddleston Sequoia
  0 siblings, 0 replies; 9+ messages in thread
From: Jeremy Huddleston Sequoia @ 2018-07-10 18:54 UTC (permalink / raw)
  To: Ævar Arnfjörð Bjarmason
  Cc: Jeff King, Akilsrin, Christian Couder, Jonathan Nieder,
	Tim Triemstra, Eliran Mesika, Git Mailing List

[-- Attachment #1: Type: text/plain, Size: 2799 bytes --]



> On Jul 10, 2018, at 5:27 AM, Ævar Arnfjörð Bjarmason <avarab@gmail.com> wrote:
> 
> On Tue, Jul 3, 2018 at 3:36 PM, Jeff King <peff@peff.net> wrote:
>> On Mon, Jul 02, 2018 at 01:15:19PM -0700, Jeremy Huddleston Sequoia wrote:
>> 
>>>> I hope that maybe they're also interested in reducing the overall
>>>> diff between upstream Git and what ships with XCode. Last time I
>>>> looked (which was admittedly a while ago), a lot of the changes
>>>> seemed like things that could probably be considered upstream.
>>> 
>>> I'm very very interested in having reduced differences between what we
>>> ship in Xcode and what is upstream.  I've been maintaining a repo with
>>> our patches that I rebase as we move forward, in the hope that these
>>> changes might be useful to others and a derivative of them might
>>> eventually be accepted upstream.  See
>>> https://github.com/jeremyhu/git/commits/master for the current set of
>>> changes that are in our shipping git (currently on top of 2.17.1).
>> 
>> Thanks for sharing. Skimming over it, I see:
>> 
>> - several of the changes look related to run-time relocation. There was
>>   a series that shipped in v2.18.0 related to this, so that may reduce
>>   your diff once you rebase.
>> 
>> - The xcode_gitattributes() bits aren't likely to go upstream as-is.
>>   But possibly these could ship as a default $sysconfdir/gitattributes?
>> 
>> - the rest look like assorted little fixes that probably could go
>>   upstream
> 
> Jeremy, could you elaborate on what
> https://github.com/jeremyhu/git/commit/61b42bc5d2 was about? I.e.
> where was this discussed & tests for this refused?
> 
> Seems sensible to me to have this in some form, but the test as-is
> seems to be a general regression test, not Apple-specific, so it would
> need to be changed somewhat, or does it only happen with some other
> custom patch of yours?

It was a bug in upstream git and not a bug specific to an Apple change.  We haven't traditionally had many custom changes on our end.  The few we have, we didn't feel they were appropriate or were often rejected when we tried (eg: using CommonCrypto and Security.framework, this one, etc.).

For this particular case, I discussed the bug with the committer (Carlo) and reviewer (Junio) of the commit (18e051a3981f38db08521bb61ccf7e4571335353) via email back in October 2011.  My proposed fix and test were never accepted.  As such, we continued to ship my patch in Xcode's git and MacPorts' git until the underlying bug was actually fixed by someone else in 2014 (ddc2a6281595fd24ea01497c496f88c40a59562f + 655ee9ea3e6c0af57d320e84723ec3bf656cdbf7).  I kept the test in our test suite to ensure we didn't regress.  Here's the final post from that thread after the fix in 2014:

[-- Attachment #2: Re: [PATCH git] setup: Do not strip trailing _ from paths.eml --]
[-- Type: message/rfc822, Size: 11990 bytes --]

[-- Attachment #3: Type: text/plain, Size: 358 bytes --]




Once I rebase on top of 2.18, I'll send out the full set of changes to git@vger as a starting point for discussion again.  I imagine many are not acceptable in current form but might be a starting point for additional discussion (eg: adding options for vendor-specific version rather than the hard coded "Apple Git-##" string).

Thanks,
Jeremy



^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CAGba+=U4nbxL2uuSxyqyZqiiavJpo_E=GhUkipz6DczLdmnkgQ@mail.gmail.com>
2018-07-02 19:50 ` Subscribing Apple people to git-security@googlegroups.com Jeff King
     [not found]   ` <91A9F3A0-5F3F-4137-9A40-CB42EDE4F243@apple.com>
     [not found]     ` <9AE01C9B-7D10-45F2-8910-1607A19DF722@apple.com>
2018-07-02 21:17       ` Jeff King
2018-07-03 13:36     ` Jeff King
2018-07-03 15:48       ` Jonathan Nieder
2018-07-03 16:01         ` Jeff King
2018-07-09 22:48           ` Jonathan Nieder
2018-07-10 12:27       ` Ævar Arnfjörð Bjarmason
2018-07-10 18:54         ` Jeremy Huddleston Sequoia
2018-07-10 13:24   ` Johannes Schindelin

git@vger.kernel.org mailing list mirror (one of many)

Archives are clonable:
	git clone --mirror https://public-inbox.org/git
	git clone --mirror http://ou63pmih66umazou.onion/git
	git clone --mirror http://czquwvybam4bgbro.onion/git
	git clone --mirror http://hjrcffqmbrq6wope.onion/git

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.version-control.git
	nntp://ou63pmih66umazou.onion/inbox.comp.version-control.git
	nntp://czquwvybam4bgbro.onion/inbox.comp.version-control.git
	nntp://hjrcffqmbrq6wope.onion/inbox.comp.version-control.git
	nntp://news.gmane.org/gmane.comp.version-control.git

 note: .onion URLs require Tor: https://www.torproject.org/
       or Tor2web: https://www.tor2web.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox