diff mbox series

[v2] index-pack: teach --promisor to forbid pack name

Message ID 20241119201016.22713-1-jonathantanmy@google.com (mailing list archive)
State New
Headers show
Series [v2] index-pack: teach --promisor to forbid pack name | expand

Commit Message

Jonathan Tan Nov. 19, 2024, 8:10 p.m. UTC 
Currently,

 - Running "index-pack --promisor" outside a repo segfaults.
 - It may be confusing to a user that running "index-pack --promisor"
   within a repo may make changes to the repo's object DB, especially
   since the packs indexed by the index-pack invocation may not even be
   related to the repo.

As discussed in [1] and [2], teaching --promisor to forbid a packfile
name solves both these problems. This combination of arguments requires
a repo (since we are writing the resulting .pack and .idx to it) and it
is clear that the files are related to the repo.

Currently, Git uses "index-pack --promisor" only when fetching into
a repo, so it could be argued that we should teach "index-pack" a
new argument (say, "--fetching-mode") instead of tying --promisor to
a generic argument like the packfile name. However, this --promisor
feature could conceivably be used whenever we have a packfile that is
known to come from the promisor remote (whether obtained through Git's
fetch protocol or through other means) so not using a new argument seems
reasonable - one could envision a user-made script obtaining a packfile
and then running "index-pack --promisor --stdin", for example. In fact,
it might be possible to relax the restriction further (say, by also
allowing --promisor when indexing a packfile that is in the object DB),
but relaxing the restriction is backwards-compatible so we can revisit
that later.

One thing to watch out for is the possibility of a future Git feature
that indexes a pack in the context of a repo, but does not necessarily
write the resulting pack to it (and does not necessarily desire to
make any changes to the object DB). One such feature would be fetch
quarantine, which might need the repo context in order to detect
hash collisions, but would also need to ensure that the object DB
is undisturbed in case the fetch fails for whatever reason, even if
the reason occurs only after the indexing is complete. It may not be
obvious to the implementer of such a feature that "index-pack" could
sometimes write packs other than the indexed pack to the object DB,
but there are already other ways that "fetch" could write to the object
DB (in particular, packfile URIs and bundle URIs), so hopefully the
implementation of this future feature would already include a test that
the object DB be undisturbed.

This change requires the change to t5300 by 1f52cdfacb (index-pack:
document and test the --promisor option, 2022-03-09) to be undone.
(--promisor is already tested indirectly, so we don't need the explicit
test here any more.)

[1] https://lore.kernel.org/git/20241114005652.GC1140565@coredump.intra.peff.net/
[2] https://lore.kernel.org/git/20241119185345.GB15723@coredump.intra.peff.net/

Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
---
This is on jt/repack-local-promisor.

Thanks, Peff, for the catch. Here's an updated patch, with an updated
commit message.
---
 Documentation/git-index-pack.txt | 2 ++
 builtin/index-pack.c             | 2 ++
 t/t5300-pack-object.sh           | 4 +---
 3 files changed, 5 insertions(+), 3 deletions(-)


Range-diff against v1:
1:  b5a0012531 ! 1:  226a627c25 index-pack: teach --promisor to require --stdin
    @@ Metadata
     Author: Jonathan Tan <jonathantanmy@google.com>
     
      ## Commit message ##
    -    index-pack: teach --promisor to require --stdin
    +    index-pack: teach --promisor to forbid pack name
     
         Currently,
     
    @@ Commit message
            since the packs indexed by the index-pack invocation may not even be
            related to the repo.
     
    -    As discussed in [1], teaching --promisor to require --stdin and forbid a
    -    packfile name solves both these problems. This combination of arguments
    -    requires a repo (since we are writing the resulting .pack and .idx to
    -    it) and it is clear that the files are related to the repo.
    +    As discussed in [1] and [2], teaching --promisor to forbid a packfile
    +    name solves both these problems. This combination of arguments requires
    +    a repo (since we are writing the resulting .pack and .idx to it) and it
    +    is clear that the files are related to the repo.
     
         Currently, Git uses "index-pack --promisor" only when fetching into
    -    a repo, so it could be argued that we should teach "index-pack" a new
    -    argument (say, "--fetching-mode") instead of tying --promisor to a
    -    generic argument like "--stdin". However, this --promisor feature could
    -    conceivably be used whenever we have a packfile that is known to come
    -    from the promisor remote (whether obtained through Git's fetch protocol
    -    or through other means) so it seems reasonable to use --stdin here -
    -    one could envision a user-made script obtaining a packfile and then
    -    running "index-pack --promisor --stdin", for example. In fact, it might
    -    be possible to relax the restriction further (say, by also allowing
    -    --promisor when indexing a packfile that is in the object DB), but
    -    relaxing the restriction is backwards-compatible so we can revisit that
    -    later.
    +    a repo, so it could be argued that we should teach "index-pack" a
    +    new argument (say, "--fetching-mode") instead of tying --promisor to
    +    a generic argument like the packfile name. However, this --promisor
    +    feature could conceivably be used whenever we have a packfile that is
    +    known to come from the promisor remote (whether obtained through Git's
    +    fetch protocol or through other means) so not using a new argument seems
    +    reasonable - one could envision a user-made script obtaining a packfile
    +    and then running "index-pack --promisor --stdin", for example. In fact,
    +    it might be possible to relax the restriction further (say, by also
    +    allowing --promisor when indexing a packfile that is in the object DB),
    +    but relaxing the restriction is backwards-compatible so we can revisit
    +    that later.
     
         One thing to watch out for is the possibility of a future Git feature
         that indexes a pack in the context of a repo, but does not necessarily
    @@ Commit message
         test here any more.)
     
         [1] https://lore.kernel.org/git/20241114005652.GC1140565@coredump.intra.peff.net/
    +    [2] https://lore.kernel.org/git/20241119185345.GB15723@coredump.intra.peff.net/
     
         Signed-off-by: Jonathan Tan <jonathantanmy@google.com>
         ---
         This is on jt/repack-local-promisor.
     
    -    Looking into it further, I think that we also need to require no
    -    packfile name to be given (so that we are writing the file to the
    -    repository). Therefore, I've added that requirement both in the code and
    -    in the documentation.
    -
    -    I've tried to summarize our conversation in the commit message - if you
    -    notice anything missing or incorrect, feel free to let me know.
    +    Thanks, Peff, for the catch. Here's an updated patch, with an updated
    +    commit message.
     
      ## Documentation/git-index-pack.txt ##
     @@ Documentation/git-index-pack.txt: Also, if there are objects in the given pack that references non-promisor
    @@ Documentation/git-index-pack.txt: Also, if there are objects in the given pack t
      pack. This avoids a situation in which a repo has non-promisor objects that are
      accessible through promisor objects.
     ++
    -+Requires --stdin, and requires <pack-file> to not be specified.
    ++Requires <pack-file> to not be specified.
      
      NOTES
      -----
    @@ builtin/index-pack.c: int cmd_index_pack(int argc,
      		usage(index_pack_usage);
      	if (fix_thin_pack && !from_stdin)
      		die(_("the option '%s' requires '%s'"), "--fix-thin", "--stdin");
    -+	if (promisor_msg && !from_stdin)
    -+		die(_("the option '%s' requires '%s'"), "--promisor", "--stdin");
     +	if (promisor_msg && pack_name)
     +		die(_("--promisor cannot be used with a pack name"));
      	if (from_stdin && !startup_info->have_repository)
diff mbox series

Patch

diff --git a/Documentation/git-index-pack.txt b/Documentation/git-index-pack.txt
index 4be09e58e7..58dd5b5f0e 100644
--- a/Documentation/git-index-pack.txt
+++ b/Documentation/git-index-pack.txt
@@ -144,6 +144,8 @@  Also, if there are objects in the given pack that references non-promisor
 objects (in the repo), repacks those non-promisor objects into a promisor
 pack. This avoids a situation in which a repo has non-promisor objects that are
 accessible through promisor objects.
++
+Requires <pack-file> to not be specified.
 
 NOTES
 -----
diff --git a/builtin/index-pack.c b/builtin/index-pack.c
index 08b340552f..05758a2f3e 100644
--- a/builtin/index-pack.c
+++ b/builtin/index-pack.c
@@ -1970,6 +1970,8 @@  int cmd_index_pack(int argc,
 		usage(index_pack_usage);
 	if (fix_thin_pack && !from_stdin)
 		die(_("the option '%s' requires '%s'"), "--fix-thin", "--stdin");
+	if (promisor_msg && pack_name)
+		die(_("--promisor cannot be used with a pack name"));
 	if (from_stdin && !startup_info->have_repository)
 		die(_("--stdin requires a git repository"));
 	if (from_stdin && hash_algo)
diff --git a/t/t5300-pack-object.sh b/t/t5300-pack-object.sh
index aff164ddf8..c53f355e48 100755
--- a/t/t5300-pack-object.sh
+++ b/t/t5300-pack-object.sh
@@ -332,10 +332,8 @@  test_expect_success 'build pack index for an existing pack' '
 	git index-pack -o tmp.idx test-3.pack &&
 	cmp tmp.idx test-1-${packname_1}.idx &&
 
-	git index-pack --promisor=message test-3.pack &&
+	git index-pack test-3.pack &&
 	cmp test-3.idx test-1-${packname_1}.idx &&
-	echo message >expect &&
-	test_cmp expect test-3.promisor &&
 
 	cat test-2-${packname_2}.pack >test-3.pack &&
 	git index-pack -o tmp.idx test-2-${packname_2}.pack &&