-
-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stop using libgit2 #2679
Comments
High level, at this point we pretty much only use git for two things (that I can think of):
There's also the issue that some users might not have |
Just swap the default in Line 13 in 74643be
Out of curiosity, it would be interesting to see the Rust peoples view on libgit2 since I know they take security pretty seriously and also use it for Cargo. |
That would be an easy first cut of the change, but I'd rather not maintain two very different sets of code and I'd love to ditch LibGit2 as a dependency of Julia (although we may have to keep it around as a compatibility relic). If we can do everything we need to do with CLI |
I'm a big fan of removing I'd suggest a user API like this: We look at an environment variable with a name like e.g.
I think for most users, the "automatically download However, it would be nice to have some option (maybe an option in |
Yeah it would be good to hear what the Cargo people think about the |
I would just automatically download and use |
Just to get a reference, what Cargo does is https://doc.rust-lang.org/cargo/appendix/git-authentication.html for HTTPS + SSH authentication, and for more complicated authentication you opt-in to use a git CLI (https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli) which is also what we do right now. Regarding completely swapping out LibGit2, that feels like a lot of extra churn for no real reason. Having to rewrite all the nice library API calls into parsing ugly text from CLI calls will be a maintenance burden and it also prevents using nice features like custom progress bars. Having the option to use the CLI git exactly at the point where libgit2 has issues (fancy authentication when downloading something) sounds good enough to me. |
Note that it's libssh2 that has outstanding security issues and isn't maintained; libssh is fine but isn't what libgit2 uses. |
There is a PR to add libssh to libgit2: libgit2/libgit2#5253 |
I've been against this in the past because of the API being kind of nice when dealing with git repos internally and it also allows you to get a nice progress bar but the fact of the matter is that every time someone has a problem with git it seems that using the external git fixes it... So I'm coming around that maybe we should try to get rid of libgit2. This would also allow to move LibGit2.jl from an stdlib to a normal package. I think this can be done in multiple steps:
|
Just as a small practical matter, my understanding is that Git_jll directly doesn’t work well and one needs to use Git.jl, but that also doesn’t work well with private packages on MacOS: JuliaVersionControl/Git.jl#40 |
Side note, I attempted to work around the problem on macOS in JuliaPackaging/Yggdrasil#4987, but last time I tried it, it didn't seem to actually solve that problem. |
The |
Since this is a fair bit of work and in the mean time we have a broken default, how about instead of requiring |
👋 libgit2 maintainer here. I found this issue linked from a different issue, and I’m obviously sad to see it. I certainly won’t begrudge any decisions that you make but I’d be very pleased to work with you to overcome any challenges that you have with libgit2. Concretely, we agree that libssh2 is … not an ideal choice for many users. We recently added support to use the command line |
The underlying SSL issue appears to be tied to libgit2 library being unable to read a PEM file format, and hence errors. Workaround is to use
Using libgit2 has not been a walk in the park. The original motivation for using it is was that Pkg2 worked with git repos for all package installs and did a lot of small git operations which were quite slow when using CLI
git
to spawn an external process for each operation (especially on Windows). So at the time using libgit2 seemed like a git win. However, libgit2 has a complex sprawling API that's hard to wrap and use. We've mostly struggled through that. But there are still problems: it's very common for people to find themselves in situations where CLIgit
can do something fine but Pkg can't becauselibgit2
can't — this is typically an issue with authentication, but not always. Some example problem issue for libgit2: #1247, #911, #2329, #2485 — there are more. Each of these could be fixed, but still, it's a drag that libgit2 so often doesn't work whengit
just works.Now we face a seemingly insurmountable security problem with continuing to use libgit2: it depends on libssh2 for SSH functionality, which is unmaintained and has multiple open CVEs. Moreover, libgit2 has seemingly no intention of supporting a different SSH engine like libssh.
So the time has come to stop using libgit2+libssh2 entirely and switch back to only using an external
git
CLI tool. This issue is to discuss the strategy for doing that.The text was updated successfully, but these errors were encountered: