git2-rs icon indicating copy to clipboard operation
git2-rs copied to clipboard

Published 20 hours ago verified publisher icon rust-lang

SHA-256

Open lorenzleutgeb opened this issue 1 year ago • 1 comments

Consider the improvements regarding support for SHA-256 in Git, last mentioned in the release notes for version 2.45:

  • https://github.com/git/git/blob/master/Documentation/RelNotes/2.45.0.txt
  • https://github.blog/open-source/git/highlights-from-git-2-45/

libgit2 has experimental support for SHA-256, guarded by -DEXPERIMENTAL_SHA256.

There is a reference to this in git2-rs:

https://github.com/rust-lang/git2-rs/blob/abbd64e80366b113b0a5056929ca3b58861e2570/libgit2-sys/lib.rs#L1174

It might be useful to allow users explore SHA-256 compatibility with git2-rs, probably behind a feature flag.

lorenzleutgeb avatar Oct 10 '24 12:10 lorenzleutgeb

With libgit2 1.9.0 it was announced that 2.0.0 will be ABI breaking and making SHA256 support default

extrawurst avatar Dec 28 '24 16:12 extrawurst

With libgit2 1.9.0 it was announced that 2.0.0 will be ABI breaking and making SHA256 support default

@extrawurst When do you plan on releasing v2.0.0?

yonas avatar Jun 08 '25 18:06 yonas

a CVE to double check in this library as well: https://nvd.nist.gov/vuln/detail/CVE-2025-31130

eirnym avatar Jun 11 '25 19:06 eirnym

Is there a roadmap with rough dates/spans, when this can be realistically expected to be released?

theAkito avatar Aug 04 '25 13:08 theAkito

No date ATM. This is a libgit2 Rust binding, so we get whatever upstream libgit2 provides

weihanglo avatar Aug 04 '25 13:08 weihanglo

I asked upstream here: https://github.com/libgit2/libgit2/discussions/7149 (With a quote of the part of the release notes referred to by https://github.com/rust-lang/git2-rs/issues/1090#issuecomment-2564380175.)

lorenzleutgeb avatar Oct 18 '25 15:10 lorenzleutgeb

Upstream indicates that they want more users to use the SHA256 support so they could have actual testing for it. A feature flag for experimental features like this would be a good idea, I think. It's obviously some work. Is this project open to the possibility of that kind of PR?

Taywee avatar Nov 09 '25 23:11 Taywee

Sounds like a good attempt as well as a preparation of the sha256 stabilization. We just need to make sure that it is documented as experimental and has tests covered

weihanglo avatar Nov 10 '25 00:11 weihanglo

Cool. Exactly what I suggested more than a year ago 🙃 I would be open to experimenting with SHA-256 guarded by an experimental feature flag in the Radicle codebase.

Just as an idea for naming: clap seems to use "unstable-" as prefix, see https://github.com/clap-rs/clap/blob/cb49ebad046317a6bef22a553f6f1c8b7852853c/Cargo.toml#L178-L183

lorenzleutgeb avatar Nov 10 '25 10:11 lorenzleutgeb