fast-export: --signed-commits is experimental

As the design of signature handling is still being discussed, it is likely that the data stream produced by the code in Git 2.50 would have to be changed in such a way that is not backward compatible. Mark the feature as experimental and discourge its use for now. Also flip the default on the generation side to "strip"; users of existing versions would not have passed --signed-commits=strip and will be broken by this change if the default is made to abort, and will be encouraged by the error message to produce data stream with future breakage guarantees by passing --signed-commits option. As we tone down the default behaviour, we no longer need the FAST_EXPORT_SIGNED_COMMITS_NOABORT environment variable, which was not discoverable enough. Signed-off-by: Junio C Hamano <gitster@pobox.com>
2026-01-10 10:13:33 +00:00 · 2025-05-28 10:29:19 -07:00
parent b32feae0f1
commit 0b4c6baa70
5 changed files with 16 additions and 30 deletions
--- a/Documentation/RelNotes/2.50.0.adoc
+++ b/Documentation/RelNotes/2.50.0.adoc
@@ -100,7 +100,9 @@ Performance, Internal Implementation, Development Support etc.
 * "git fsck" becomes more careful when checking the refs.
 * "git fast-export | git fast-import" learns to deal with commit and
-   tag objects with embedded signatures a bit better.
+   tag objects with embedded signatures a bit better.  This is highly
   experimental and the format of the data stream may change in the
   future without compatibility guarantees.
 * The code paths to check whether a refname X is available (by seeing
   if another ref X/Y exists, etc.) have been optimized.
--- a/Documentation/git-fast-export.adoc
+++ b/Documentation/git-fast-export.adoc
@@ -46,14 +46,12 @@ resulting tag will have an invalid signature.
 --signed-commits=(verbatim|warn-verbatim|warn-strip|strip|abort)::
 	Specify how to handle signed commits.  Behaves exactly as
-	'--signed-tags', but for commits.  Default is 'abort'.
+	'--signed-tags', but for commits.  Default is 'strip', which
 	is the same as how earlier versions of this command without
 	this option behaved.
 +
-Earlier versions this command that did not have '--signed-commits'
+NOTE: This is highly experimental and the format of the data stream may
-behaved as if '--signed-commits=strip'.  As an escape hatch for users
+change in the future without compatibility guarantees.
 of tools that call 'git fast-export' but do not yet support
 '--signed-commits', you may set the environment variable
 'FAST_EXPORT_SIGNED_COMMITS_NOABORT=1' in order to change the default
 from 'abort' to 'warn-strip'.
 --tag-of-filtered-object=(abort|drop|rewrite)::
 	Specify how to handle tags whose tagged object is filtered out.
--- a/Documentation/git-fast-import.adoc
+++ b/Documentation/git-fast-import.adoc
@@ -523,6 +523,9 @@ that signs the commit data.
 Here <alg> specifies which hashing algorithm is used for this
 signature, either `sha1` or `sha256`.
 NOTE: This is highly experimental and the format of the data stream may
 change in the future without compatibility guarantees.
 `encoding`
 ^^^^^^^^^^
 The optional `encoding` command indicates the encoding of the commit
--- a/builtin/fast-export.c
+++ b/builtin/fast-export.c
@@ -39,7 +39,7 @@ enum sign_mode { SIGN_ABORT, SIGN_VERBATIM, SIGN_STRIP, SIGN_WARN_VERBATIM, SIGN
 static int progress;
 static enum sign_mode signed_tag_mode = SIGN_ABORT;
-static enum sign_mode signed_commit_mode = SIGN_ABORT;
+static enum sign_mode signed_commit_mode = SIGN_STRIP;
 static enum tag_of_filtered_mode { TAG_FILTERING_ABORT, DROP, REWRITE } tag_of_filtered_mode = TAG_FILTERING_ABORT;
 static enum reencode_mode { REENCODE_ABORT, REENCODE_YES, REENCODE_NO } reencode_mode = REENCODE_ABORT;
 static int fake_missing_tagger;
@@ -1269,7 +1269,6 @@ int cmd_fast_export(int argc,
 		    const char *prefix,
 		    struct repository *repo UNUSED)
 {
 	const char *env_signed_commits_noabort;
 	struct rev_info revs;
 	struct commit *commit;
 	char *export_filename = NULL,
@@ -1327,10 +1326,6 @@ int cmd_fast_export(int argc,
 	if (argc == 1)
 		usage_with_options (fast_export_usage, options);
 	env_signed_commits_noabort = getenv("FAST_EXPORT_SIGNED_COMMITS_NOABORT");
 	if (env_signed_commits_noabort && *env_signed_commits_noabort)
 		signed_commit_mode = SIGN_WARN_STRIP;
 	/* we handle encodings */
 	git_config(git_default_config, NULL);
--- a/t/t9350-fast-export.sh
+++ b/t/t9350-fast-export.sh
@@ -299,22 +299,10 @@ test_expect_success GPG 'set up signed commit' '
 '
-test_expect_success GPG 'signed-commits default' '
+test_expect_success GPG 'signed-commits default is same as strip' '
-
+	git fast-export --reencode=no commit-signing >out1 2>err &&
-	sane_unset FAST_EXPORT_SIGNED_COMMITS_NOABORT &&
+	git fast-export --reencode=no --signed-commits=strip commit-signing >out2 &&
-	test_must_fail git fast-export --reencode=no commit-signing &&
+	test_cmp out1 out2
 	FAST_EXPORT_SIGNED_COMMITS_NOABORT=1 git fast-export --reencode=no commit-signing >output 2>err &&
 	! grep ^gpgsig output &&
 	grep "^encoding ISO-8859-1" output &&
 	test -s err &&
 	sed "s/commit-signing/commit-strip-signing/" output | (
 		cd new &&
 		git fast-import &&
 		STRIPPED=$(git rev-parse --verify refs/heads/commit-strip-signing) &&
 		test $COMMIT_SIGNING != $STRIPPED
 	)
 '
 test_expect_success GPG 'signed-commits=abort' '