This directory contains various scripts that attempt to reproduce the mergeinfo-authz case that r29051 is intended address. None of the scripts are successful in reproducing it. Note that r29051 passes 'make check'; the issue is merely that we don't know whether it solves the problem it's meant to solve. To try one of the reproduction scripts, apply 'debugs-patch.txt' from the top of the source code tree, then run the script (say, 'repro.sh') like this: $ rm -f /tmp/kff.out; ./repro.sh; cat /tmp/kff.out If there's any debug output, it will be shown at the end. You may need to tweak one line in the script; it should be obvious which one. Here is an IRC conversation between glasser and kfogel about our problems trying to come up with a reproduction case: glasser: regarding http://subversion.tigris.org/servlets/ReadMsg?list=dev&msgNo=134402 Yes, sure, I understand the scenario in theory. What I can't seem to do is construct a series of commands that actually causes that. kfogel: mmhmm? you mean to get the nested mergeinfo? Maybe I just need to set the mergeinfo manually, but I've been trying to do it via actual merges followed by a merge --reintegrate. yeah I'll paste my current script, hold on. copy A to A_COPY do stuff merge some revs of A_COPY back to A merge more revs from A_COPY/B/E back to A/B/E (not using reintegrate) or you can go in the other direction, whatever http://pastebin.ca/872623 [note: this corresponds to 'nested-branch-repro.sh' in the same directory as this README] glasser: that's what I'm trying (or think I'm trying, though the path names are slightly different) hmmm sorry, the script above tries something different what you describe above, I'm pretty sure I tried before ah. i'm not sure what you're trying to do in the script nested branches don't seem to be relevant here you need to be running merge multiple times, at least I'll try a reworked script using those exact paths up there, so we can be speaking the same language But the problem is we've been hand-waving about what this scenario actually is -- and when I try to actually make it fully concrete, I can't stimulate the conditions. ok give me the next versin, then I'll try sure, few minutes glasser: there has to be a --reintegrate merge somewhere, though... right? (the goal is to stimulate the new authz checks in svn_repos_fs_get_mergeinfo() ) at the end but you need two merges first, to set up two layers of mergeinfo Of course, all that this discussion proves hell, my old script had that :-) "...proves, is that this stuff is a rare edge case" ? is that inherited mergeinfo is so complicated that it manages to confuse even people with their heads deep in the implementation show old script? well, I actually wouldn't call my head deep in the implementation (that's a big part of the problem here). But I did expect to be able to write a test case, yes. I did. you saw it (note that along with it is the patch to fs-wrap.c that I posted, which has various debug prints to /tmp/kff.out so one can see that the expected things are not happening) but, I mean, you do have a reasonable understanding of subversion at least :) the thing you pastebinned? Note also that the earlier script I pastebin'd never bothers with the untrusted user. My debug prints are just to show that the *check* happens, and even that's not happening. If the check itself happened, I could construct a authz file that would make the check fail. oh, the one in the mail the pastebinned one doesn't do nested merge, does it? it does, although I don't think that's strictly necessary for what it's trying to show. maybe we are meaning different things by nested I don't care about having *two branches* I care about *merging subtrees* I did that too. in the pastebinned one? where? (it happens that the subtree changes got into branch1 by being merged from branch2, that's all.) let me see... you only merge once before teh reintegrate! oh, I see what you mean. I think. this is what is needed * cp trunk branch * make change rA and rB on branch, touching a bunch of files each er, on trunk, sorry ?? * merge rA from trunk to branch *nod* * merge rB from trunk/some-subdir to branch/some-subdir *nod nod* make some random other change on branch * merge --reintegrate it back *nod nod nod* the "some random other change" is necessary why? well, i guess it's not, but "to give something to actaully be reintegrating" yeah before I write this as a script, I'm going to spell it out at the level of detail I think we need here: 1. create repos, import a greek tree into /trunk 2. create /branches/b1 from /trunk 3. make several commits worth of random trunk changes, including rX and rY. (uh, make that "two commits" -- *just* rX and rY) 4. merge rX from trunk to branch b1 5. merge rY from trunk/B/E to branches/b1/B/E (assume rY is just a change to alpha and beta) 6. make some other random change on b1 (say, branches/b1/A/mu) 7. cd back into trunk wc 8. merge --reintegrate yup I should see my prints checking auth at least two paths. now, that would fail with "duh, I dunno if X or Y should be the base" s/at/for at/ but if you can't see B/E, it wouldn't although huh I don't understand the error you're proposing... mm grr read authz is hard :) * kfogel takes schadenfreudliches joy in glasser's slow realization that this is harder than it looks "no wonder nobody else tries to do it for non-trivial things" no, I mean, technically, what I'm describing would work the way we're describing it Now *there's* a sentence to take home and chew on :-). in practice, the semantics is kind of hard to grok though. what *should* be the goal of a --reintegrate I mean, our idea is "do a diff with the left-hand-side being 'the trunk revision that we are synced up to'" basically the whole point of the get-mergeinfo-including-descendents thing is to let us punt if there is no single revision that it's merged up to (but rather has different bits merged differently) (at least, we can manipulate things so we're dealing with that case, yes) but if authz makes us not see stuff that has actually been merged, then... well, i guess we can't see it anyway. if you're having people who can't see all the files in the branch running the merges, then life is hard. i guess that's ok That was what I was saying in my original mail, I think. That I can't construct a scenario in which someone who doesn't have auth on path foo would somehow do a merge that gets mergeinfo applying to foo. (IOW, that earlier checks already cover this.) oh, that's true but they could do a READ op like, somebody *else* does the merge that gets the mergeinfo onto it and then they run --reintegrate on a parent of foo, and since reintegrate uses include_descendants... so you need the unprivileged user to run the reintegrate only glasser: right, I tried that too glasser: in my various scripts, I've generally only used user 'juntrusted' for the reintegrate step, not for any of the others. (right now I'm not even doing that -- I use 'jtrusted' for everything and watch the debug output) nod glasser: frankly, I'm tempted (I know this is bad behavior, but...) to just check in the authz protection changes (which already pass make check) and then dare the world to come up with a test case. Hmm, are you capable of getting them to at least execute without passing? They did look good to me (if overly clever, though that was due to how the function was already written) glasser: what do you mean by execute without passing? You mean the conditional checks? No. That's what I've been trying to do. If I could do that, everything would be jolly. I have verified (by independent means) that authz is working on the repos. right, right I had juntrusted accidentally checking out at one point, when A/ was protected from reading, and juntrusted got no subdir A.