setup: warn if extensions exist on old format

[derrickstolee]

This is based on xl/upgrade-repo-format.

Thanks, Taylor and Junio for jumping in with helpful review.

Updates in v2:

1. My initial patch is essentially dropped in its entirety, with Junio's patch here instead. I added an extra test and kept some of my commit message.

2. A second patch has joined the fray, hopefully answering the concerned raise by Johannes [1].

[1] https://lore.kernel.org/git/pull.675.git.1594677321039.gitgitgadget@gmail.com/

Thanks,
-Stolee

Cc: newren@gmail.com, delphij@google.com, peff@peff.net, johannes.schindelin@gmx.de, me@ttaylorr.com

[derrickstolee]

/submit

[gitgitgadget]

Submitted as pull.674.git.1594668051847.gitgitgadget@gmail.com

[gitgitgadget]

On the Git mailing list, Taylor Blau wrote (reply to this):

On Mon, Jul 13, 2020 at 07:20:51PM +0000, Derrick Stolee via GitGitGadget wrote:
> From: Derrick Stolee <dstolee@microsoft.com>
>
> Prior to 14c7fa269e4 (check_repository_format_gently(): refuse extensions
> for old repositories, 2020-06-05), Git was honoring configured
> extensions, even if core.repositoryFormatVersion was 0 (or unset). This
> was incorrect, and is now fixed.
>
> The issue now is that users who relied on that previously bad behavior
> will upgrade to the next version of Git and suddently be in a bad
> situation. In particular, users of the 'git sparse-checkout' builting
> will rely on the extensions.worktreeConfig for the core.sparseCheckout
> and core.sparseCheckoutCone config options. Without that extension,
> these users will suddenly have repositories stop acting like a sparse
> repo.
>
> What is worse is that a user will be confronted with the following
> error if they try to run 'git sparse-checkout init' again:
>
> 	warning: unable to upgrade repository format from 0 to 1
>
> This is because the logic in 14c7fa269e4 refuses to upgrae repos when

s/upgrae/upgrade

> the version is unset but extensions exist.

I'm not sure that I want to get into a discussion about whether or not
this logic is right while -rc0 is already out, but it seems like
14c7fa269e4 could be tweaked to be a little more tolerant of this case.

On the other hand, I think that the approach here is perfectly sensible,
absent of a more invasive change to the logic in 14c7fa269e4.

> While it is important to correct this improper behavior, create a
> warning so users in this situation can correct themselves without too
> much guesswork. By creating a warning in
> check_repository_format_gently(), we can alert the user if they have a
> ocnfigured extension but not a configured repository version.

s/ocnfigured/configured

> Signed-off-by: Derrick Stolee <dstolee@microsoft.com>
> ---
>     setup: warn if extensions exist on old format
>
>     This is based on xl/upgrade-repo-format.
>
>     Can this be considered for v2.28.0-rc1? I think this is an important
>     shift in behavior that will disrupt many users if they upgrade without
>     it!

I would be happy to see something like this in -rc1, unless Junio has
reservations about making this change at this point in the release cycle
(I do not have any such concerns).

>     If not this warning or change, then how else can we help users who are
>     in this situation? How can we save those who adopted the sparse-checkout
>     builtin in recent versions from terrible post-upgrade headaches?
>
>     Thanks, -Stolee
>
> Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-674%2Fderrickstolee%2Fsparse-checkout-warning-v1
> Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-674/derrickstolee/sparse-checkout-warning-v1
> Pull-Request: https://github.com/gitgitgadget/git/pull/674
>
>  setup.c                            | 5 +++++
>  t/t1091-sparse-checkout-builtin.sh | 9 +++++++++
>  2 files changed, 14 insertions(+)
>
> diff --git a/setup.c b/setup.c
> index eb066db6d8..6ff6c54d39 100644
> --- a/setup.c
> +++ b/setup.c
> @@ -542,6 +542,11 @@ static int check_repository_format_gently(const char *gitdir, struct repository_
>  		}
>  	}
>
> +	if (candidate->version == 0 && candidate->has_extensions) {
> +		warning(_("some extensions are enabled, but core.repositoryFormatVersion=0"));
> +		warning(_("if you intended to use extensions, run 'git config core.repositoryFormatVersion 1'"));
> +	}
> +
>  	return 0;
>  }
>
> diff --git a/t/t1091-sparse-checkout-builtin.sh b/t/t1091-sparse-checkout-builtin.sh
> index 88cdde255c..d249428f44 100755
> --- a/t/t1091-sparse-checkout-builtin.sh
> +++ b/t/t1091-sparse-checkout-builtin.sh
> @@ -68,6 +68,15 @@ test_expect_success 'git sparse-checkout init' '
>  	check_files repo a
>  '
>
> +test_expect_success 'warning about core.repositoryFormatVersion' '
> +	test_when_finished git -C repo config core.repositoryFormatVersion 1 &&
> +	git -C repo status 2>err &&
> +	test_must_be_empty err &&
> +	git -C repo config --local core.repositoryFormatVersion 0 &&

I don't think it's that difficult to see that this patch is correct, but
it might be worth testing this for the case that
'core.repositoryFormatVersion' is unset, too.

> +	git -C repo status 2>err &&
> +	test_i18ngrep "some extensions are enabled, but core.repositoryFormatVersion=0" err
> +'
> +
>  test_expect_success 'git sparse-checkout list after init' '
>  	git -C repo sparse-checkout list >actual &&
>  	cat >expect <<-\EOF &&
>
> base-commit: 14c7fa269e42df4133edd9ae7763b678ed6594cd
> --
> gitgitgadget

Thanks,
Taylor

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

"Derrick Stolee via GitGitGadget" <gitgitgadget@gmail.com> writes:

> From: Derrick Stolee <dstolee@microsoft.com>
>
> Prior to 14c7fa269e4 (check_repository_format_gently(): refuse extensions
> for old repositories, 2020-06-05), Git was honoring configured
> extensions, even if core.repositoryFormatVersion was 0 (or unset). This
> was incorrect, and is now fixed.
>
> The issue now is that users who relied on that previously bad behavior
> will upgrade to the next version of Git and suddently be in a bad
> situation. In particular, users of the 'git sparse-checkout' builting
> will rely on the extensions.worktreeConfig for the core.sparseCheckout
> and core.sparseCheckoutCone config options. Without that extension,
> these users will suddenly have repositories stop acting like a sparse
> repo.

s/builting/command/ perhaps???

>
> What is worse is that a user will be confronted with the following
> error if they try to run 'git sparse-checkout init' again:
>
> 	warning: unable to upgrade repository format from 0 to 1
>
> This is because the logic in 14c7fa269e4 refuses to upgrae repos when
> the version is unset but extensions exist.
>
> While it is important to correct this improper behavior, create a
> warning so users in this situation can correct themselves without too
> much guesswork. By creating a warning in
> check_repository_format_gently(), we can alert the user if they have a
> ocnfigured extension but not a configured repository version.

s/ocn/con/

> Signed-off-by: Derrick Stolee <dstolee@microsoft.com>
> ---

Thanks for a thoughtful analysis of the situation and coming up with
a plan to remedy.

> +	if (candidate->version == 0 && candidate->has_extensions) {
> +		warning(_("some extensions are enabled, but core.repositoryFormatVersion=0"));
> +		warning(_("if you intended to use extensions, run 'git config core.repositoryFormatVersion 1'"));
> +	}

That reads well.

An alternative may be to grandfather some extensions that were
enabled by git by mistake without updating the format version, and
we update the repository even if the repository has extensions that
should not exist, but those offending extensions are limited only to
those that we decide to special case.  That would make the end-user
experience even smoother.

Is extenions.worktreeCOnfig the only one that needs this escape
hatch?

[gitgitgadget]

On the Git mailing list, Derrick Stolee wrote (reply to this):

On 7/13/2020 3:34 PM, Taylor Blau wrote:
> s/upgrae/upgrade
> s/ocnfigured/configured

Oh man, what was going on with me when I was typing this message.

Thanks for the thorough inspection.

>> diff --git a/setup.c b/setup.c
>> index eb066db6d8..6ff6c54d39 100644
>> --- a/setup.c
>> +++ b/setup.c
>> @@ -542,6 +542,11 @@ static int check_repository_format_gently(const char *gitdir, struct repository_
>>  		}
>>  	}
>>
>> +	if (candidate->version == 0 && candidate->has_extensions) {
>> +		warning(_("some extensions are enabled, but core.repositoryFormatVersion=0"));
>> +		warning(_("if you intended to use extensions, run 'git config core.repositoryFormatVersion 1'"));
>> +	}
>> +
>>  	return 0;
>>  }
>>
>> diff --git a/t/t1091-sparse-checkout-builtin.sh b/t/t1091-sparse-checkout-builtin.sh
>> index 88cdde255c..d249428f44 100755
>> --- a/t/t1091-sparse-checkout-builtin.sh
>> +++ b/t/t1091-sparse-checkout-builtin.sh
>> @@ -68,6 +68,15 @@ test_expect_success 'git sparse-checkout init' '
>>  	check_files repo a
>>  '
>>
>> +test_expect_success 'warning about core.repositoryFormatVersion' '
>> +	test_when_finished git -C repo config core.repositoryFormatVersion 1 &&
>> +	git -C repo status 2>err &&
>> +	test_must_be_empty err &&
>> +	git -C repo config --local core.repositoryFormatVersion 0 &&
> 
> I don't think it's that difficult to see that this patch is correct, but
> it might be worth testing this for the case that
> 'core.repositoryFormatVersion' is unset, too.

You were absolutely right to check this, since this diff causes
the test to fail:

diff --git a/t/t1091-sparse-checkout-builtin.sh b/t/t1091-sparse-checkout-builtin.sh
index d249428f44..b5de141292 100755
--- a/t/t1091-sparse-checkout-builtin.sh
+++ b/t/t1091-sparse-checkout-builtin.sh
@@ -74,6 +74,9 @@ test_expect_success 'warning about core.repositoryFormatVersion' '
        test_must_be_empty err &&
        git -C repo config --local core.repositoryFormatVersion 0 &&
        git -C repo status 2>err &&
+       test_i18ngrep "some extensions are enabled, but core.repositoryFormatVersion=0" err &&
+       git -C repo config --local --unset core.repositoryFormatVersion 0 &&
+       git -C repo status 2>err &&
        test_i18ngrep "some extensions are enabled, but core.repositoryFormatVersion=0" err
 '
 

I'll investigate why the "unset" case is different than the "0" case.

Hopefully the "should we do this?" question can continue being discussed
while I work on a v2.

Thanks,
-Stolee

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Junio C Hamano <gitster@pobox.com> writes:

> An alternative may be to grandfather some extensions that were
> enabled by git by mistake without updating the format version, and
> we update the repository even if the repository has extensions that
> should not exist, but those offending extensions are limited only to
> those that we decide to special case.  That would make the end-user
> experience even smoother.
>
> Is extenions.worktreeCOnfig the only one that needs this escape
> hatch?

Assuming that worktreeconfig is the only thing, the change may look
like this.  With this change, we might want to drop the new warning
in hunk ll.542- to avoid encouraging people to muck with their
repository with random configuration variables that happen to share
extensions.* prefix with us.

 cache.h |  2 +-
 setup.c | 17 +++++++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/cache.h b/cache.h
index e5885cc9ea..8ff46857f6 100644
--- a/cache.h
+++ b/cache.h
@@ -1042,8 +1042,8 @@ struct repository_format {
 	int worktree_config;
 	int is_bare;
 	int hash_algo;
-	int has_extensions;
 	char *work_tree;
+	int has_unallowed_extensions;
 	struct string_list unknown_extensions;
 };
 
diff --git a/setup.c b/setup.c
index eb066db6d8..5f4786d3b9 100644
--- a/setup.c
+++ b/setup.c
@@ -455,12 +455,13 @@ static int check_repo_format(const char *var, const char *value, void *vdata)
 	if (strcmp(var, "core.repositoryformatversion") == 0)
 		data->version = git_config_int(var, value);
 	else if (skip_prefix(var, "extensions.", &ext)) {
-		data->has_extensions = 1;
 		/*
 		 * record any known extensions here; otherwise,
 		 * we fall through to recording it as unknown, and
 		 * check_repository_format will complain
 		 */
+		int is_unallowed_extension = 1;
+
 		if (!strcmp(ext, "noop"))
 			;
 		else if (!strcmp(ext, "preciousobjects"))
@@ -469,10 +470,13 @@ static int check_repo_format(const char *var, const char *value, void *vdata)
 			if (!value)
 				return config_error_nonbool(var);
 			data->partial_clone = xstrdup(value);
-		} else if (!strcmp(ext, "worktreeconfig"))
+		} else if (!strcmp(ext, "worktreeconfig")) {
 			data->worktree_config = git_config_bool(var, value);
-		else
+			is_unallowed_extension = 0;
+		} else
 			string_list_append(&data->unknown_extensions, ext);
+
+		data->has_unallowed_extensions |= is_unallowed_extension;
 	}
 
 	return read_worktree_config(var, value, vdata);
@@ -542,6 +546,11 @@ static int check_repository_format_gently(const char *gitdir, struct repository_
 		}
 	}
 
+	if (candidate->version == 0 && candidate->has_unallowed_extensions) {
+		warning(_("some extensions are enabled, but core.repositoryFormatVersion=0"));
+		warning(_("if you intended to use extensions, run 'git config core.repositoryFormatVersion 1'"));
+	}
+
 	return 0;
 }
 
@@ -560,7 +569,7 @@ int upgrade_repository_format(int target_version)
 		return 0;
 
 	if (verify_repository_format(&repo_fmt, &err) < 0 ||
-	    (!repo_fmt.version && repo_fmt.has_extensions)) {
+	    (!repo_fmt.version && repo_fmt.has_unallowed_extensions)) {
 		warning("unable to upgrade repository format from %d to %d: %s",
 			repo_fmt.version, target_version, err.buf);
 		strbuf_release(&err);

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

The "fail and warn" approach introduced in the previous step may be
with smaller impact to the codebase, but

 - it requires the end-user to read, understand and execute the
   manual upgrade

 - it encourages to follow the same procedure blindly, making the
   protection even less useful

Let's instead keep failing hard without teaching how to bypass the
repository protection, but allow upgrading even when only the
worktreeconfig extension exists in an old repository, which is
likely to be set by a broke version of Git that did not update the
repository version when setting the extension.

Signed-off-by: Junio C Hamano <gitster@pobox.com>
---

 * This time with a log message to explain and justify the change,
   with a matching tweak to the test script, designed to be applied
   on top, but feel free to squash it in if you agree with me that
   we do not need two separate commits for this.

   Thanks.

 cache.h                            |  2 +-
 setup.c                            | 17 ++++++++---------
 t/t1091-sparse-checkout-builtin.sh |  9 ---------
 3 files changed, 9 insertions(+), 19 deletions(-)

diff --git a/cache.h b/cache.h
index e5885cc9ea..8ff46857f6 100644
--- a/cache.h
+++ b/cache.h
@@ -1042,8 +1042,8 @@ struct repository_format {
 	int worktree_config;
 	int is_bare;
 	int hash_algo;
-	int has_extensions;
 	char *work_tree;
+	int has_unallowed_extensions;
 	struct string_list unknown_extensions;
 };
 
diff --git a/setup.c b/setup.c
index 6ff6c54d39..65270440a9 100644
--- a/setup.c
+++ b/setup.c
@@ -455,12 +455,13 @@ static int check_repo_format(const char *var, const char *value, void *vdata)
 	if (strcmp(var, "core.repositoryformatversion") == 0)
 		data->version = git_config_int(var, value);
 	else if (skip_prefix(var, "extensions.", &ext)) {
-		data->has_extensions = 1;
 		/*
 		 * record any known extensions here; otherwise,
 		 * we fall through to recording it as unknown, and
 		 * check_repository_format will complain
 		 */
+		int is_unallowed_extension = 1;
+
 		if (!strcmp(ext, "noop"))
 			;
 		else if (!strcmp(ext, "preciousobjects"))
@@ -469,10 +470,13 @@ static int check_repo_format(const char *var, const char *value, void *vdata)
 			if (!value)
 				return config_error_nonbool(var);
 			data->partial_clone = xstrdup(value);
-		} else if (!strcmp(ext, "worktreeconfig"))
+		} else if (!strcmp(ext, "worktreeconfig")) {
 			data->worktree_config = git_config_bool(var, value);
-		else
+			is_unallowed_extension = 0;
+		} else
 			string_list_append(&data->unknown_extensions, ext);
+
+		data->has_unallowed_extensions |= is_unallowed_extension;
 	}
 
 	return read_worktree_config(var, value, vdata);
@@ -542,11 +546,6 @@ static int check_repository_format_gently(const char *gitdir, struct repository_
 		}
 	}
 
-	if (candidate->version == 0 && candidate->has_extensions) {
-		warning(_("some extensions are enabled, but core.repositoryFormatVersion=0"));
-		warning(_("if you intended to use extensions, run 'git config core.repositoryFormatVersion 1'"));
-	}
-
 	return 0;
 }
 
@@ -565,7 +564,7 @@ int upgrade_repository_format(int target_version)
 		return 0;
 
 	if (verify_repository_format(&repo_fmt, &err) < 0 ||
-	    (!repo_fmt.version && repo_fmt.has_extensions)) {
+	    (!repo_fmt.version && repo_fmt.has_unallowed_extensions)) {
 		warning("unable to upgrade repository format from %d to %d: %s",
 			repo_fmt.version, target_version, err.buf);
 		strbuf_release(&err);
diff --git a/t/t1091-sparse-checkout-builtin.sh b/t/t1091-sparse-checkout-builtin.sh
index d249428f44..88cdde255c 100755
--- a/t/t1091-sparse-checkout-builtin.sh
+++ b/t/t1091-sparse-checkout-builtin.sh
@@ -68,15 +68,6 @@ test_expect_success 'git sparse-checkout init' '
 	check_files repo a
 '
 
-test_expect_success 'warning about core.repositoryFormatVersion' '
-	test_when_finished git -C repo config core.repositoryFormatVersion 1 &&
-	git -C repo status 2>err &&
-	test_must_be_empty err &&
-	git -C repo config --local core.repositoryFormatVersion 0 &&
-	git -C repo status 2>err &&
-	test_i18ngrep "some extensions are enabled, but core.repositoryFormatVersion=0" err
-'
-
 test_expect_success 'git sparse-checkout list after init' '
 	git -C repo sparse-checkout list >actual &&
 	cat >expect <<-\EOF &&
-- 
2.28.0-rc0

[gitgitgadget]

On the Git mailing list, Derrick Stolee wrote (reply to this):

On 7/13/2020 4:18 PM, Junio C Hamano wrote:
> The "fail and warn" approach introduced in the previous step may be
> with smaller impact to the codebase, but
> 
>  - it requires the end-user to read, understand and execute the
>    manual upgrade
> 
>  - it encourages to follow the same procedure blindly, making the
>    protection even less useful
> 
> Let's instead keep failing hard without teaching how to bypass the
> repository protection, but allow upgrading even when only the
> worktreeconfig extension exists in an old repository, which is
> likely to be set by a broke version of Git that did not update the
> repository version when setting the extension.

This is a more subtle way to handle the case. In fact, it
silently makes extensions.worktreeConfig work as it did in 2.27,
which means users will not have any troubles after upgrading.

I also like that you are actually fixing the case where a user in
the bad state _can_ get out using "git sparse-checkout init".

This can be verified by adding this test:

test_expect_success 'git sparse-checkout works if repository format is wrong' '
	test_when_finished git -C repo config core.repositoryFormatVersion 1 &&
	git -C repo sparse-checkout init &&
	git -C repo config core.repositoryFormatVersion >actual &&
	echo 1 >expect &&
	test_cmp expect actual &&
	git -C repo config core.repositoryFormatVersion 0 &&
	git -C repo sparse-checkout init &&
	git -C repo config core.repositoryFormatVersion >actual &&
	test_cmp expect actual
'

> Signed-off-by: Junio C Hamano <gitster@pobox.com>
> ---
> 
>  * This time with a log message to explain and justify the change,
>    with a matching tweak to the test script, designed to be applied
>    on top, but feel free to squash it in if you agree with me that
>    we do not need two separate commits for this.

Since this commit removes all evidence of the previous one, I would
recommend just squashing them together.

Thanks for your fast feedback!
-Stolee

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Derrick Stolee <stolee@gmail.com> writes:

> I also like that you are actually fixing the case where a user in
> the bad state _can_ get out using "git sparse-checkout init".
>
> This can be verified by adding this test:
>
> test_expect_success 'git sparse-checkout works if repository format is wrong' '
> 	test_when_finished git -C repo config core.repositoryFormatVersion 1 &&
> 	git -C repo sparse-checkout init &&
> 	git -C repo config core.repositoryFormatVersion >actual &&
> 	echo 1 >expect &&
> 	test_cmp expect actual &&
> 	git -C repo config core.repositoryFormatVersion 0 &&
> 	git -C repo sparse-checkout init &&
> 	git -C repo config core.repositoryFormatVersion >actual &&
> 	test_cmp expect actual
> '
>
>> Signed-off-by: Junio C Hamano <gitster@pobox.com>
>> ---
>> 
>>  * This time with a log message to explain and justify the change,
>>    with a matching tweak to the test script, designed to be applied
>>    on top, but feel free to squash it in if you agree with me that
>>    we do not need two separate commits for this.
>
> Since this commit removes all evidence of the previous one, I would
> recommend just squashing them together.

Alright, then care to do the honors ;-)?  Let's make sure we have it
in -rc1 to avoid nasty "regression" in the upcoming release.

Thanks for raising the issue and exploring the solution space.

[derrickstolee]

/submit

[gitgitgadget]

Submitted as pull.674.v2.git.1594690017.gitgitgadget@gmail.com

[gitgitgadget]

On the Git mailing list, Jonathan Nieder wrote (reply to this):

Hi,

Derrick Stolee wrote:
> On 7/13/2020 4:18 PM, Junio C Hamano wrote:

>> The "fail and warn" approach introduced in the previous step may be
>> with smaller impact to the codebase, but
>>
>>  - it requires the end-user to read, understand and execute the
>>    manual upgrade
>>
>>  - it encourages to follow the same procedure blindly, making the
>>    protection even less useful
>>
>> Let's instead keep failing hard without teaching how to bypass the
>> repository protection, but allow upgrading even when only the
>> worktreeconfig extension exists in an old repository, which is
>> likely to be set by a broke version of Git that did not update the
>> repository version when setting the extension.
>
> This is a more subtle way to handle the case. In fact, it
> silently makes extensions.worktreeConfig work as it did in 2.27,
> which means users will not have any troubles after upgrading.

I'd like to propose a different endgame:

Instead of looking at `extensions.*` settings one by one to see how
various implementations handled them with repositoryFormatVersion=0,
what if we treat repositoryFormatVersion=0 as a synonym of version=1?

That is:

1. in new repositories, set repositoryFormatVersion = 1, since (1) Git
   versions in the wild should all already know how to handle it and
   (2) as we've learned, other Git implementations need to understand
   some of extensions.* anyway

2. whenever setting any extensions.*, automatically upgrade to
   repositoryFormatVersion = 1

3. when in an existing repository with extensions.* set and
   repositoryFormatVersion = 0, act as though repositoryFormatVersion = 1

4. document this new behavior with repositoryFormatVersion = 0 in
   Documentation/technical/repository-version.txt

This way, the result is simpler than where we started.

Unfortunately, we are not even that consistent about what to do with
extensions.* settings when repositoryFormatVersion = 0 today.  So
we'll have to exercise some care and analyze them one by one to make
sure this is safe (and if it isn't, at *that* point we'd come up with
a more complex variant on (2) and (3) above).

It's too late to go that far for 2.28.  It would be tempting to try a
simple revert of 14c7fa269e4 (check_repository_format_gently(): refuse
extensions for old repositories, 2020-06-05) to get back to tried and
true behavior but that does not do enough --- it still produces an
error when trying to upgrade repository format when any extensions are
set.  So how about such a revert plus Junio's patch plus the analogous
change to Junio's patch for

  extensions.preciousObjects
  extensions.partialClone

?

Thanks,
Jonathan

[gitgitgadget]

On the Git mailing list, Junio C Hamano wrote (reply to this):

Jonathan Nieder <jrnieder@gmail.com> writes:

> It's too late to go that far for 2.28.  It would be tempting to try a
> simple revert of 14c7fa269e4 (check_repository_format_gently(): refuse
> extensions for old repositories, 2020-06-05) to get back to tried and
> true behavior but that does not do enough --- it still produces an
> error when trying to upgrade repository format when any extensions are
> set.  So how about such a revert plus Junio's patch plus the analogous
> change to Junio's patch for
>
>   extensions.preciousObjects
>   extensions.partialClone

My illustration patch was done "assuming that worktreeconfig is the
only thing we wrote by mistake without updating the format version",
and if these two also share the same problem, I obviously is 100%
fine with covering these other ones with the same approach.

I like your "v0 and v1 are the same, but the repository is declared
to be corrupt if the extentions that are not known by today's code
is found in v0 repository", by the way.  Assuming that the two you
listed above plus worktreeconfig are the only ones known by today's
code, that is.  We seem to also know about "noop", so shouldn't it
also be grandfathered in?

[gitgitgadget]

On the Git mailing list, Johannes Schindelin wrote (reply to this):

Hi Stolee,

On Tue, 14 Jul 2020, Derrick Stolee via GitGitGadget wrote:

> This is because the logic in 14c7fa269e4 refuses to upgrae repos when
> the version is unset but extensions exist.

s/upgrae/upgrade/

The rest looks good to me.

Thank you for working on this,
Dscho

> One possible way to alert a user of this issue is to warn them when Git
> notices an extension exists, but core.repositoryFormatVersion is not a
> correct value. However,
>
>  - it requires the end-user to read, understand and execute the
>    manual upgrade
>
>  - it encourages to follow the same procedure blindly, making the
>    protection even less useful
>
> Let's instead keep failing hard without teaching how to bypass the
> repository protection, but allow upgrading even when only the
> worktreeconfig extension exists in an old repository, which is
> likely to be set by a broke version of Git that did not update the
> repository version when setting the extension.
>
> This change of behavior is made visible by testing how 'git
> sparse-checkout init' behaves to upgrade the repository format version
> even if the extension.worktreeConfig is already set. This would
> previously fail without a clear way forward.
>
> Signed-off-by: Junio C Hamano <gitster@pobox.com>
> Signed-off-by: Derrick Stolee <dstolee@microsoft.com>
> ---
>  cache.h                            |  2 +-
>  setup.c                            | 12 ++++++++----
>  t/t1091-sparse-checkout-builtin.sh | 12 ++++++++++++
>  3 files changed, 21 insertions(+), 5 deletions(-)
>
> diff --git a/cache.h b/cache.h
> index e5885cc9ea..8ff46857f6 100644
> --- a/cache.h
> +++ b/cache.h
> @@ -1042,8 +1042,8 @@ struct repository_format {
>  	int worktree_config;
>  	int is_bare;
>  	int hash_algo;
> -	int has_extensions;
>  	char *work_tree;
> +	int has_unallowed_extensions;
>  	struct string_list unknown_extensions;
>  };
>
> diff --git a/setup.c b/setup.c
> index eb066db6d8..65270440a9 100644
> --- a/setup.c
> +++ b/setup.c
> @@ -455,12 +455,13 @@ static int check_repo_format(const char *var, const char *value, void *vdata)
>  	if (strcmp(var, "core.repositoryformatversion") == 0)
>  		data->version = git_config_int(var, value);
>  	else if (skip_prefix(var, "extensions.", &ext)) {
> -		data->has_extensions = 1;
>  		/*
>  		 * record any known extensions here; otherwise,
>  		 * we fall through to recording it as unknown, and
>  		 * check_repository_format will complain
>  		 */
> +		int is_unallowed_extension = 1;
> +
>  		if (!strcmp(ext, "noop"))
>  			;
>  		else if (!strcmp(ext, "preciousobjects"))
> @@ -469,10 +470,13 @@ static int check_repo_format(const char *var, const char *value, void *vdata)
>  			if (!value)
>  				return config_error_nonbool(var);
>  			data->partial_clone = xstrdup(value);
> -		} else if (!strcmp(ext, "worktreeconfig"))
> +		} else if (!strcmp(ext, "worktreeconfig")) {
>  			data->worktree_config = git_config_bool(var, value);
> -		else
> +			is_unallowed_extension = 0;
> +		} else
>  			string_list_append(&data->unknown_extensions, ext);
> +
> +		data->has_unallowed_extensions |= is_unallowed_extension;
>  	}
>
>  	return read_worktree_config(var, value, vdata);
> @@ -560,7 +564,7 @@ int upgrade_repository_format(int target_version)
>  		return 0;
>
>  	if (verify_repository_format(&repo_fmt, &err) < 0 ||
> -	    (!repo_fmt.version && repo_fmt.has_extensions)) {
> +	    (!repo_fmt.version && repo_fmt.has_unallowed_extensions)) {
>  		warning("unable to upgrade repository format from %d to %d: %s",
>  			repo_fmt.version, target_version, err.buf);
>  		strbuf_release(&err);
> diff --git a/t/t1091-sparse-checkout-builtin.sh b/t/t1091-sparse-checkout-builtin.sh
> index 88cdde255c..6e339c7c8e 100755
> --- a/t/t1091-sparse-checkout-builtin.sh
> +++ b/t/t1091-sparse-checkout-builtin.sh
> @@ -68,6 +68,18 @@ test_expect_success 'git sparse-checkout init' '
>  	check_files repo a
>  '
>
> +test_expect_success 'git sparse-checkout works if repository format is wrong' '
> +	test_when_finished git -C repo config core.repositoryFormatVersion 1 &&
> +	git -C repo config --unset core.repositoryFormatVersion &&
> +	git -C repo sparse-checkout init &&
> +	git -C repo config core.repositoryFormatVersion >actual &&
> +	echo 1 >expect &&
> +	git -C repo config core.repositoryFormatVersion 0 &&
> +	git -C repo sparse-checkout init &&
> +	git -C repo config core.repositoryFormatVersion >actual &&
> +	test_cmp expect actual
> +'
> +
>  test_expect_success 'git sparse-checkout list after init' '
>  	git -C repo sparse-checkout list >actual &&
>  	cat >expect <<-\EOF &&
> --
> gitgitgadget
>
>

[gitgitgadget]

On the Git mailing list, Johannes Schindelin wrote (reply to this):

Hi Stolee,

On Tue, 14 Jul 2020, Derrick Stolee via GitGitGadget wrote:

>  2. A second patch has joined the fray, hopefully answering the concerned
>     raise by Johannes [1].

It answers my concern!

Thank you for providing these patches,
Dscho

[gitgitgadget]

This branch is now known as ds/upgrade-with-existing-extension.

[gitgitgadget]

This patch series was integrated into seen via git@9e39591.

[gitgitgadget]

This patch series was integrated into seen via git@1eeb0d5.

[gitgitgadget]

This patch series was integrated into seen via git@5eb075c.

[gitgitgadget]

This patch series was integrated into seen via git@adac119.

[gitgitgadget]

This patch series was integrated into seen via git@f037a78.

[gitgitgadget]

This patch series was integrated into seen via git@4f97083.

[derrickstolee]

This is dropped in favor of other patches.