[WIP] Add source.revision

[Alloyed]

Resolves #569.

In hg, this is implemented by passing revision into the clone command (hg clone myrepo --rev myrev).

In git, this is implemented by performing a full clone (git clone myrepo) and then doing git checkout myrev.

Originally I planned to have a special case that compares source.tag and source.revision when both are defined. This would double check the tag's commit-id, but from a security perspective that just moves the trust from the repository host to the rockspec host. Git already supports tag/commit signing with GPG, which are better ways to verify trust.

todo:

• input validation (revisions should only be full commit/changeset IDs)
• git optimizations

tests:

• error on revision in rockspec < 3.0
• error on revision in unsupported URL type (other schemes don't do this it looks like)
• simple revision in git
• simple revision in hg
• revision + tag
• revision + branch (with --single-branch this can be special-cased to avoid full clone)
• revision + tag + branch

[hishamhm]

(This is my first time using the new code-review feature in Github, hope I'm doing this right!)

[hishamhm]

You should use revision = { _type = "string", _version = "3.0" } here (or you can even create a string_3 variable)

[Alloyed]

I can do this, but I'm wondering where I should be putting my more complex validation. I need to make sure

1. the URL specifies either a git or hg repo when revision is specified
2. that revision is a 40-character hex string

I spotted _pattern, which led me to try _pattern = string.rep("%x", 40), and that works, but it has a very silly error message:

Error: Error loading rockspec: /home/kyle/src/luarocks/test/testfiles/invalid_revision-1.0-1.rockspec: Type mismatch on field source.revision: invalid value HEAD does not match '%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x'

[hishamhm]

With the version checking for the revision field in the type checker, you don't need to version-check again here.

[hishamhm]

Yay, thanks for taking on this feature! I added some comments.

[Alloyed]

Thanks for the review, I'm working on a commit that resolves it and adds a few of the simpler tests right now.

Something else: I noticed that luarocks already calls the "-1" part of a rockspec version a "rockspec revision", so I'm worried about the two getting confused for each other. Wikipedia suggests changeset as a possible alternate name I'd be okay with.

[hishamhm]

• I think source.revision won't be ambiguous (that's what the table namespacing is for, after all) and is more obvious than "changeset" — every time I saw people asking for this feature they said "I'd like my rockspec to point to a particular revision", not "changeset". (I'm trying to avoid here a situation where we pick a technically correct name that ends up being more cumbersome in regular use, as it happened when we picked "scm" to refer to in-development rocks).
• Do we need to force all 40 characters in the revision field? A lot more often I see people using much shorter substrings of revisions and that works fine in practice. Again, I'm thinking about convenience here. Those who want the safety of the full hash can still have it. But it's customary for Git-based tools to accept substrings of the hash.
• As for the error message, how about adding an _expecting field to be used for composing the error message? As in _expecting = "a hexadecimal revision hash"

[Alloyed]

1. Understood on the name/typechecking
2. The CLI tools will allow up to the shortest unique substring, but the issue is that this leads to a potential time-bomb: what if another commit made after the fact shares that substring? If the original commit is still available a rockspec that used to work will break, or if (say, a bad actor) came along and replaced the original git history, you could get a completely different commit.
   If a rockspec is temporary this isn't a big deal, so maybe this is an argument to be more lenient here, and more strict in luarocks.org.

[hishamhm]

If a rockspec is temporary this isn't a big deal, so maybe this is an argument to be more lenient here, and more strict in luarocks.org.

This is not a big practical problem at luarocks.org because luarocks upload also stores a .src.rock file which contains a copy of the sources. luarocks build uses the .src.rock by default instead of fetching from git.

[mpeterv]

luarocks build uses the .src.rock by default instead of fetching from git.

So does luarocks install

[codecov-io]

Current coverage is 87.93% (diff: 100%)

Merging #623 into luarocks-3 will increase coverage by 0.23%

@@           luarocks-3       #623   diff @@
============================================
  Files              66         69     +3   
  Lines            6936       6998    +62   
  Methods             0          0          
  Messages            0          0          
  Branches            0          0          
============================================
+ Hits             6083       6154    +71   
+ Misses            853        844     -9   
  Partials            0          0          

Powered by Codecov. Last update 3df4bd5...b923f22

[Alloyed]

Something I noticed: right now, if you use luarocks with an http/https/ssh url, luarocks is forced to do a full clone. Do you remember the reasoning behind it? At least on my machine doing a shallow clone works fine for all three types.

Anyways, an in-words description of how cloning works in this PR:

1. If you don't need a specific revision, you get a shallow clone (git clone --depth=1). this includes normal branches and tags.
2. If you do need a specific revision, and you specify a branch, you get only the commits on that branch (git clone --single-branch)
3. If you specify a revision by itself you get the entire repo. (git clone --)

[daurnimator]

This seems prone to later issues: -- signifies "things after this point are arguments not options".

[daurnimator]

Do url and module need to be quoted?

[daurnimator]

Quote commitish (and/or use -- before it)

[daurnimator]

No need to keep assigning, just start the line from or

[daurnimator]

Why did git_cmd need fs.Q but hg_cmd doesn't?

[hishamhm]

This was auto-closed by accident when the (now merged) luarocks-3 branch was deleted. Sorry!