From: <rsbecker@nexbridge.com>
To: "'Phillip Wood'" <phillip.wood123@gmail.com>,
"'Elijah Newren'" <newren@gmail.com>,
"'Patrick Steinhardt'" <ps@pks.im>
Cc: "'brian m. carlson'" <sandals@crustytoothpaste.net>,
"'Junio C Hamano'" <gitster@pobox.com>,
"'Taylor Blau'" <me@ttaylorr.com>,
"'Kristoffer Haugsbakk'" <kristofferhaugsbakk@fastmail.com>,
"'Josh Soref'" <gitgitgadget@gmail.com>,
git@vger.kernel.org, "'Christian Brabandt'" <cb@256bit.org>,
"'Eli Schwartz'" <eschwartz@gentoo.org>,
"'Haelwenn (lanodan) Monnier'" <contact@hacktivis.me>,
"'Johannes Schindelin'" <Johannes.Schindelin@gmx.de>,
"'Matthias Aßhauer'" <mha1993@live.de>,
"'Sam James'" <sam@gentoo.org>,
"'Collin Funk'" <collin.funk1@gmail.com>,
"'Mike Hommey'" <mh@glandium.org>,
"'Pierre-Emmanuel Patry'" <pierre-emmanuel.patry@embecosm.com>,
"'D. Ben Knoble'" <ben.knoble@gmail.com>,
"'Ramsay Jones'" <ramsay@ramsayjones.plus.com>,
"'Ezekiel Newren'" <ezekielnewren@gmail.com>,
"'Josh Steadmon'" <steadmon@google.com>,
"'Calvin Wan'" <calvinwan@google.com>
Subject: RE: [PATCH v3 02/15] xdiff: introduce rust
Date: Mon, 8 Sep 2025 11:32:36 -0400 [thread overview]
Message-ID: <049301dc20d5$d1643340$742c99c0$@nexbridge.com> (raw)
In-Reply-To: <ad54bb8f-04e4-4bf7-a13f-6ae7b967b718@gmail.com>
On September 8, 2025 6:12 AM, Phillip Wood wrote:
>On 07/09/2025 17:09, rsbecker@nexbridge.com wrote:
>> On September 7, 2025 12:10 AM, Elijah Newren wrote:
>>> Sorry for the delay; life outside of work is challenging at the moment...
>>>
>>
>> I am going to address the critical point mentioned below and snip the rest for
>brevity.
>>
>>> I still don't see why distributors _must_ ship the latest version of
>>> Git and why folks on some platforms are considered broken if they are using a
>slightly older version.
>>> Let me ask again: has anyone answered why this is considered
>>> mandatory? If they have, I've missed it, but I've asked multiple
>>> times. Even if you want to lump "distributors cannot build a newer
>>> version" under the umbrella of "breaking changes", I argue it's a
>>> much different kind of break and one which merits different timelines for
>handling than e.g. lumping it in with 3.0.
>>
>> I do not see that distributors _must_ ship the latest version. Suppose
>> we are on
>> 2.51.0 and a CVE comes out that prohibits its use in an organization
>> that does not allow any medium-high to high CVEs. This represents
>> hundreds of thousands of impacted users in my community alone. How
>> does the CVE get applied if the latest cannot be built and the git
>> team does not apply the CVE fixes to old versions. Personally, I do
>> not care if git versions are different between work and home, or even
>> between CI/CD and other platforms. I don't even care if I have to use
>> JGit instead of git in some situations (which I see is a likely
>> outcome of this discussion). Is there an official statement of what an LTS means?
>
>We're currently discussing what promises we can make about supporting a non-rust
>version of git.
>
>> In other projects LTS is typically, and formally by policy 5 years.
>
>I know commercial linux distributions offer that kind of support but are there really
>open source projects that guarantee 5 years of security updates without any kind
>of support contract?
OpenSSL provides 5 years of security fix support (at no cost) for LTS designated
releases. Currently 3.0 ending Sept 2026 and 3.5 ending around October 2030.
After those dates, there is a fee-based support arrangement available.
>> From what others have said here, positions of 6 months, 3 years, and
>> "apply it yourself if you want to continue to use git" have been made.
>
>Yes it is still being discussed, and no one is volunteering to offer five years of
>support.
>
>> The core problem of adding a breaking dependency is when a CVE comes
>> out that prohibits git from being used at all. If the git team is not
>> going to provide a clear statement, one way or another, if how CVEs
>> (at whatever severity level) will not have a commitment of any kind,
>> then distributors are essentially cast adrift and on our own. It would
>> be helpful of those of us who donate our time, for no compensation,
>> are able to plan for this in a meaningful way.
>
>Doesn't your company make a front end to git? Are you saying that the
>management does not allocate any staff time to work on git itself and expects the
>community to provide it with free security updates?
The REAL PROBLEM that is not being addressed in this thread is that large
companies (the ones who process your credit cards, build your cars,
manufacture your drugs, and tool your factories (a.k.a. NonStop customers),
are generally unwilling to accept CVE fixes from third parties. The fixes have
to be part of the official code base or the fixes will not accepted. That means
that either:
1. the git team has to officially sanction the fixes; or
2. do the fixes themselves.
A compromise may be possible to keep a support branch around in the official
git repo, for those of us who do not have rust available to contribute to,
specifically for post C-deprecation CVE fixes, but I am not sure this is practical.
It would also require occasional assistance from the git team, to make sense of
some of the fixes, If they apply, as none of us are rust experts.
I am already allocated to spending between 10 and 20 hours a month to git,
which usually involves running and verifying build/test cycles. Since git tests
are flakey, in some cases, I have to manually examine each failure
situation and decide whether the failures are sufficient to pass the releases.
These have been reported previously without resolution and do not bear
discussion here.
It is important to understand that many git customers in high audit situations
build git on their own because they do not trust third party builds, so this
needs to remain an option.
>> Please remember that
>> we have to justify our participation to our management teams to be
>> allowed to continue to participate.
>I'm confused by this, as the sentence before say's you're donating your time for no
>compensation.
My company pretends to donates my time with very little direct benefit to
them. My participation is because I feel it is important for my community.
No, I do not get a salary for my git time. It is evenings and weekends. Any time
I spend during working hours has to be made up during off hours.
>
>> Nothing is free from this end
>> and if fixing (not just applying fixes) CVEs are now 100% our
>> responsibility, if would be critical to know that when we build our
>> business cases to our bosses, who I am fairly certain will say an
>> emphatic no.
>
>In the long term, unless your platform gains a rust compiler I'm afraid I think that is
>most likely outcome.
>
>> Also remember that without support from the git team, the code base is
>> no longer the same, meaning the auditors will not necessarily accept
>> fixes from third-party sources.
>
>I think I saw a suggestion/question about the possibility of hosting any long term
>support branch that is maintained by interested parties within the main repository.
>Would that help?
DEFINITELY. With assistance as above. With some help, we may be able to make
this work. It might require a deeper participation on my part and those on my
team to approve changes, which we would consider.
>I appreciate that any move to rust would be very disappointing and disruptive to
>you but the community has to weigh up the benefits rust has to offer against that.
The community has plans for Rust but they have not taken shape fully as of yet. I
have personally been badgering product management to make this happen, and I
might know more in a month or so. However, this takes time, and 6 months is not
enough.
--Randall
next prev parent reply other threads:[~2025-09-08 15:33 UTC|newest]
Thread overview: 203+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-17 20:32 [PATCH 0/7] RFC: Accelerate xdiff and begin its rustification Ezekiel Newren via GitGitGadget
2025-07-17 20:32 ` [PATCH 1/7] xdiff: introduce rust Ezekiel Newren via GitGitGadget
2025-07-17 21:30 ` brian m. carlson
2025-07-17 21:54 ` Junio C Hamano
2025-07-17 22:39 ` Taylor Blau
2025-07-18 23:15 ` Ezekiel Newren
2025-07-23 21:57 ` brian m. carlson
2025-07-23 22:26 ` Junio C Hamano
2025-07-28 19:11 ` Ezekiel Newren
2025-07-31 22:37 ` brian m. carlson
2025-07-22 22:02 ` Mike Hommey
2025-07-22 23:52 ` brian m. carlson
2025-07-17 22:38 ` Taylor Blau
2025-07-17 20:32 ` [PATCH 2/7] xdiff/xprepare: remove superfluous forward declarations Ezekiel Newren via GitGitGadget
2025-07-17 22:41 ` Taylor Blau
2025-07-17 20:32 ` [PATCH 3/7] xdiff: delete unnecessary fields from xrecord_t and xdfile_t Ezekiel Newren via GitGitGadget
2025-07-17 20:32 ` [PATCH 4/7] xdiff: make fields of xrecord_t Rust friendly Ezekiel Newren via GitGitGadget
2025-07-17 22:46 ` Taylor Blau
2025-07-17 23:13 ` brian m. carlson
2025-07-17 23:37 ` Elijah Newren
2025-07-18 0:23 ` Taylor Blau
2025-07-18 0:21 ` Taylor Blau
2025-07-18 13:35 ` Phillip Wood
2025-07-28 19:34 ` Ezekiel Newren
2025-07-28 19:52 ` Phillip Wood
2025-07-28 20:14 ` Ezekiel Newren
2025-07-31 14:20 ` Phillip Wood
2025-07-31 20:58 ` Ezekiel Newren
2025-08-01 9:14 ` Phillip Wood
2025-07-28 20:53 ` Junio C Hamano
2025-07-28 20:00 ` Collin Funk
2025-07-20 1:39 ` Johannes Schindelin
2025-07-17 20:32 ` [PATCH 5/7] xdiff: separate parsing lines from hashing them Ezekiel Newren via GitGitGadget
2025-07-17 22:59 ` Taylor Blau
2025-07-18 13:34 ` Phillip Wood
2025-07-17 20:32 ` [PATCH 6/7] xdiff: conditionally use Rust's implementation of xxhash Ezekiel Newren via GitGitGadget
2025-07-17 23:29 ` Taylor Blau
2025-07-18 19:00 ` Junio C Hamano
2025-07-31 21:13 ` Ezekiel Newren
2025-08-02 7:53 ` Matthias Aßhauer
2025-07-19 21:53 ` Johannes Schindelin
2025-07-20 10:14 ` Phillip Wood
2025-09-23 9:57 ` gitoxide-compatible licensing of Git's Rust code, was " Johannes Schindelin
2025-09-23 17:48 ` Jeff King
2025-09-24 13:48 ` Phillip Wood
2025-09-25 2:25 ` Jeff King
2025-09-25 5:42 ` Patrick Steinhardt
2025-09-26 10:06 ` Phillip Wood
2025-10-03 3:18 ` Jeff King
2025-10-03 9:51 ` Phillip Wood
2025-10-07 9:11 ` Patrick Steinhardt
2025-10-05 5:32 ` Yee Cheng Chin
2025-07-17 20:32 ` [PATCH 7/7] github_workflows: install rust Ezekiel Newren via GitGitGadget
2025-07-17 21:23 ` brian m. carlson
2025-07-18 23:01 ` Ezekiel Newren
2025-07-25 23:56 ` Ben Knoble
2025-07-19 21:54 ` Johannes Schindelin
2025-07-17 21:51 ` [PATCH 0/7] RFC: Accelerate xdiff and begin its rustification brian m. carlson
2025-07-17 22:25 ` Taylor Blau
2025-07-18 0:29 ` brian m. carlson
2025-07-22 12:21 ` Patrick Steinhardt
2025-07-22 15:56 ` Junio C Hamano
2025-07-22 16:03 ` Sam James
2025-07-22 21:37 ` Elijah Newren
2025-07-22 21:55 ` Sam James
2025-07-22 22:08 ` Collin Funk
2025-07-18 9:23 ` Christian Brabandt
2025-07-18 16:26 ` Junio C Hamano
2025-07-19 0:32 ` Elijah Newren
2025-07-18 13:34 ` Phillip Wood
2025-07-18 21:25 ` Eli Schwartz
2025-07-19 0:48 ` Haelwenn (lanodan) Monnier
2025-07-22 12:21 ` Patrick Steinhardt
2025-07-22 14:24 ` Patrick Steinhardt
2025-07-22 15:14 ` Eli Schwartz
2025-07-22 15:56 ` Sam James
2025-07-23 4:32 ` Patrick Steinhardt
2025-07-24 9:01 ` Pierre-Emmanuel Patry
2025-07-24 10:00 ` Patrick Steinhardt
2025-07-28 9:06 ` Pierre-Emmanuel Patry
2025-07-18 14:38 ` Junio C Hamano
2025-07-18 21:56 ` Ezekiel Newren
2025-07-21 10:14 ` Phillip Wood
2025-07-21 18:33 ` Junio C Hamano
2025-07-19 21:53 ` Johannes Schindelin
2025-07-20 8:45 ` Matthias Aßhauer
2025-08-15 1:22 ` [PATCH v2 00/17] " Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 01/17] doc: add a policy for using Rust brian m. carlson via GitGitGadget
2025-08-15 17:03 ` Matthias Aßhauer
2025-08-15 21:31 ` Junio C Hamano
2025-08-16 8:06 ` Matthias Aßhauer
2025-08-19 2:06 ` Ezekiel Newren
2025-08-15 1:22 ` [PATCH v2 02/17] xdiff: introduce rust Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 03/17] xdiff/xprepare: remove superfluous forward declarations Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 04/17] xdiff: delete unnecessary fields from xrecord_t and xdfile_t Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 05/17] xdiff: make fields of xrecord_t Rust friendly Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 06/17] xdiff: separate parsing lines from hashing them Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 07/17] xdiff: conditionally use Rust's implementation of xxhash Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 08/17] github workflows: install rust Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 09/17] Do support Windows again after requiring Rust Johannes Schindelin via GitGitGadget
2025-08-15 17:12 ` Matthias Aßhauer
2025-08-15 21:48 ` Junio C Hamano
2025-08-15 22:11 ` Johannes Schindelin
2025-08-15 23:37 ` Junio C Hamano
2025-08-15 23:37 ` Junio C Hamano
2025-08-16 8:53 ` Matthias Aßhauer
2025-08-17 15:57 ` Junio C Hamano
2025-08-19 2:22 ` Ezekiel Newren
2025-08-15 1:22 ` [PATCH v2 10/17] win+Meson: allow for xdiff to be compiled with MSVC Johannes Schindelin via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 11/17] win+Meson: do allow linking with the Rust-built xdiff Johannes Schindelin via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 12/17] github workflows: define rust versions and targets in the same place Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 13/17] github workflows: upload Cargo.lock Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 14/17] xdiff: implement a white space iterator in Rust Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 15/17] xdiff: create line_hash() and line_equal() Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 16/17] xdiff: optimize case where --ignore-cr-at-eol is the only whitespace flag Ezekiel Newren via GitGitGadget
2025-08-15 1:22 ` [PATCH v2 17/17] xdiff: use rust's version of whitespace processing Ezekiel Newren via GitGitGadget
2025-08-15 15:07 ` [-SPAM-] [PATCH v2 00/17] RFC: Accelerate xdiff and begin its rustification Ramsay Jones
2025-08-19 2:00 ` Elijah Newren
2025-08-24 16:52 ` Patrick Steinhardt
2025-08-18 22:31 ` Junio C Hamano
2025-08-18 23:52 ` Ben Knoble
2025-08-19 1:52 ` Elijah Newren
2025-08-19 9:47 ` Junio C Hamano
2025-08-23 3:55 ` [PATCH v3 00/15] RFC: Cleanup " Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 01/15] doc: add a policy for using Rust brian m. carlson via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 02/15] xdiff: introduce rust Ezekiel Newren via GitGitGadget
2025-08-23 13:43 ` rsbecker
2025-08-23 14:26 ` Kristoffer Haugsbakk
2025-08-23 15:06 ` rsbecker
2025-08-23 18:30 ` Elijah Newren
2025-08-23 19:24 ` brian m. carlson
2025-08-23 20:04 ` rsbecker
2025-08-23 20:36 ` Sam James
2025-08-23 21:17 ` Haelwenn (lanodan) Monnier
2025-08-27 1:57 ` Taylor Blau
2025-08-27 14:39 ` rsbecker
2025-08-27 17:06 ` Junio C Hamano
2025-08-27 17:15 ` rsbecker
2025-08-27 20:12 ` Taylor Blau
2025-08-27 20:22 ` Junio C Hamano
2025-09-02 11:16 ` Patrick Steinhardt
2025-09-02 11:30 ` Sam James
2025-09-02 17:27 ` brian m. carlson
2025-09-02 18:47 ` Sam James
2025-09-03 18:22 ` Collin Funk
2025-09-03 5:40 ` Patrick Steinhardt
2025-09-03 16:22 ` Ramsay Jones
2025-09-03 22:10 ` Junio C Hamano
2025-09-03 22:48 ` Josh Steadmon
2025-09-04 11:10 ` Patrick Steinhardt
2025-09-04 15:45 ` Junio C Hamano
2025-09-05 8:23 ` Patrick Steinhardt
2025-09-04 0:57 ` brian m. carlson
2025-09-04 11:39 ` Patrick Steinhardt
2025-09-04 13:53 ` Sam James
2025-09-05 3:55 ` Elijah Newren
2025-09-04 23:17 ` Ezekiel Newren
2025-09-05 3:54 ` Elijah Newren
2025-09-05 6:50 ` Patrick Steinhardt
2025-09-07 4:10 ` Elijah Newren
2025-09-07 16:09 ` rsbecker
2025-09-08 10:12 ` Phillip Wood
2025-09-08 15:32 ` rsbecker [this message]
2025-09-08 15:10 ` Ezekiel Newren
2025-09-08 15:41 ` rsbecker
2025-09-08 15:31 ` Elijah Newren
2025-09-08 15:36 ` rsbecker
2025-09-08 16:13 ` Elijah Newren
2025-09-08 17:01 ` rsbecker
2025-09-08 6:40 ` Patrick Steinhardt
2025-09-05 10:31 ` Phillip Wood
2025-09-05 11:32 ` Sam James
2025-09-05 13:14 ` Phillip Wood
2025-09-05 13:23 ` Patrick Steinhardt
2025-09-05 15:37 ` Junio C Hamano
2025-09-08 6:40 ` Patrick Steinhardt
2025-08-23 14:29 ` Ezekiel Newren
2025-08-23 3:55 ` [PATCH v3 03/15] github workflows: install rust Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 04/15] win+Meson: do allow linking with the Rust-built xdiff Johannes Schindelin via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 05/15] github workflows: upload Cargo.lock Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 06/15] ivec: create a vector type that is interoperable between C and Rust Ezekiel Newren via GitGitGadget
2025-08-23 8:12 ` Kristoffer Haugsbakk
2025-08-23 9:29 ` Ezekiel Newren
2025-08-23 16:14 ` Junio C Hamano
2025-08-23 16:37 ` Ezekiel Newren
2025-08-23 18:05 ` Junio C Hamano
2025-08-23 20:29 ` Ezekiel Newren
2025-08-25 19:16 ` Elijah Newren
2025-08-26 5:40 ` Junio C Hamano
2025-08-24 13:31 ` Ben Knoble
2025-08-25 20:40 ` Ezekiel Newren
2025-08-26 13:30 ` D. Ben Knoble
2025-08-26 18:47 ` Ezekiel Newren
2025-08-26 22:01 ` brian m. carlson
2025-08-23 3:55 ` [PATCH v3 07/15] xdiff/xprepare: remove superfluous forward declarations Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 08/15] xdiff: delete unnecessary fields from xrecord_t and xdfile_t Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 09/15] xdiff: make fields of xrecord_t Rust friendly Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 10/15] xdiff: use one definition for freeing xdfile_t Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 11/15] xdiff: replace chastore with an ivec in xdfile_t Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 12/15] xdiff: delete nrec field from xdfile_t Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 13/15] xdiff: delete recs " Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 14/15] xdiff: make xdfile_t more rust friendly Ezekiel Newren via GitGitGadget
2025-08-23 3:55 ` [PATCH v3 15/15] xdiff: implement xdl_trim_ends() in Rust Ezekiel Newren via GitGitGadget
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='049301dc20d5$d1643340$742c99c0$@nexbridge.com' \
--to=rsbecker@nexbridge.com \
--cc=Johannes.Schindelin@gmx.de \
--cc=ben.knoble@gmail.com \
--cc=calvinwan@google.com \
--cc=cb@256bit.org \
--cc=collin.funk1@gmail.com \
--cc=contact@hacktivis.me \
--cc=eschwartz@gentoo.org \
--cc=ezekielnewren@gmail.com \
--cc=git@vger.kernel.org \
--cc=gitgitgadget@gmail.com \
--cc=gitster@pobox.com \
--cc=kristofferhaugsbakk@fastmail.com \
--cc=me@ttaylorr.com \
--cc=mh@glandium.org \
--cc=mha1993@live.de \
--cc=newren@gmail.com \
--cc=phillip.wood123@gmail.com \
--cc=pierre-emmanuel.patry@embecosm.com \
--cc=ps@pks.im \
--cc=ramsay@ramsayjones.plus.com \
--cc=sam@gentoo.org \
--cc=sandals@crustytoothpaste.net \
--cc=steadmon@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).