GitoxideLabs
diff --git a/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.lock‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 3 additions & 1 deletion b/‎Cargo.toml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎etc/plans/bug-fixes.md‎ ‎etc/plan/bug-fixes.md‎etc/plans/bug-fixes.md renamed to etc/plan/bug-fixes.md b/‎etc/plans/bug-fixes.md‎ ‎etc/plan/bug-fixes.md‎etc/plans/bug-fixes.md renamed to etc/plan/bug-fixes.md
diff --git a/‎etc/scripts/check-gix-crate-hash-feature-combinations.sh‎
Lines changed: 33 additions & 0 deletions b/‎etc/scripts/check-gix-crate-hash-feature-combinations.sh‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎etc/scripts/check-gix-crates-do-not-default-hash-features.sh‎
Lines changed: 33 additions & 0 deletions b/‎etc/scripts/check-gix-crates-do-not-default-hash-features.sh‎
Lines changed: 33 additions & 0 deletions
diff --git a/‎etc/scripts/check-gix-crates-require-hash-features.sh‎
Lines changed: 44 additions & 0 deletions b/‎etc/scripts/check-gix-crates-require-hash-features.sh‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎etc/scripts/check-gix-crates-without-hash-features.sh‎
Lines changed: 28 additions & 0 deletions b/‎etc/scripts/check-gix-crates-without-hash-features.sh‎
Lines changed: 28 additions & 0 deletions
diff --git a/‎gix-archive/Cargo.toml‎
Lines changed: 3 additions & 1 deletion b/‎gix-archive/Cargo.toml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎gix-blame/Cargo.toml‎
Lines changed: 3 additions & 9 deletions b/‎gix-blame/Cargo.toml‎
Lines changed: 3 additions & 9 deletions
diff --git a/‎gix-blame/src/file/function.rs‎
Lines changed: 3 additions & 3 deletions b/‎gix-blame/src/file/function.rs‎
Lines changed: 3 additions & 3 deletions
@@ -92,9 +92,11 @@ lean-async = ["hashes", "fast", "tracing", "pretty-cli", "gitoxide-core-tools",
 #! Typical combinations of features of our dependencies, some of which are referred to in the `gitoxide` crate's code for conditional compilation.
 
 ## Provide support for all known hashes. If this isn't enabled, select an individual hash algorithms.
-hashes = ["sha1"]
+hashes = ["sha1", "sha256"]
 ## Enable support for the SHA-1 hash throughout the `gix` crate.
 sha1 = ["gix/sha1"]
+## Enable support for the SHA-256 hash throughout the `gix` crate.
+sha256 = ["gix/sha256"]
 
 ## Makes the crate execute as fast as possible by supporting parallel computation of otherwise long-running functions.
 ## If disabled, the binary will be visibly smaller.
 
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+#
+# Check every gix-* crate that advertises hash features with sha1, sha256, and
+# sha1+sha256, limited to combinations the crate actually exposes.
+#
+# This keeps feature forwarding honest: a crate with a public hash feature must
+# compile with that feature, and sha256 support must not silently regress while
+# sha1 remains covered by older checks.
+
+set -euo pipefail
+
+metadata="$(cargo metadata --format-version 1 --no-deps)"
+
+for features in sha1 sha256 sha1,sha256; do
+    crates="$(
+        printf '%s\n' "$metadata" |
+            jq --arg features "$features" --raw-output '
+                ($features | split(",")) as $required_features
+                | .workspace_members as $members
+                | .packages[] as $pkg
+                | select($members | index($pkg.id))
+                | select($pkg.name | startswith("gix-"))
+                | select(all($required_features[]; . as $feature | $pkg.features | has($feature)))
+                | $pkg.name
+            '
+    )"
+
+    while IFS= read -r crate; do
+        [[ -n "$crate" ]] || continue
+        printf 'Checking %s with %s: cargo check -p %s --features %s\n' "$crate" "$features" "$crate" "$features"
+        cargo check -p "$crate" --features "$features"
+    done <<<"$crates"
+done
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+#
+# Check that gix-* crates with public sha1 or sha256 features do not enable
+# either hash algorithm in their default feature set.
+#
+# Hash selection must be explicit for library crates. If a crate defaults to a
+# hash algorithm, downstream users can accidentally compile with the wrong object
+# hash support instead of making the choice at the application boundary.
+
+set -euo pipefail
+
+offenders="$(
+    cargo metadata --format-version 1 --no-deps |
+        jq --raw-output '
+            .workspace_members as $members
+            | .packages[] as $pkg
+            | select($members | index($pkg.id))
+            | select($pkg.name | startswith("gix-"))
+            | select($pkg.features | has("sha1") or has("sha256"))
+            | ($pkg.features.default // []) as $default_features
+            | ($default_features | map(select(. == "sha1" or . == "sha256"))) as $default_hash_features
+            | select($default_hash_features | length > 0)
+            | "\($pkg.name): default includes \($default_hash_features | join(","))"
+        '
+)"
+
+printf 'Checking gix-* crates do not default to sha1 or sha256\n'
+
+if [[ -n "$offenders" ]]; then
+    printf '%s: error: hash features must not be default features.\n' "$0" >&2
+    printf '%s\n' "$offenders" >&2
+    exit 1
+fi
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+#
+# Check that every gix-* crate with public hash features fails without selecting
+# an explicit hash algorithm.
+#
+# This catches accidental default-hash behavior and empty feature gates. Crates
+# that depend on gix-hash transitively must forward sha1/sha256 instead of
+# compiling in an ambiguous hash configuration.
+
+set -euo pipefail
+
+hash_feature_error='Please set either the `sha1` or the `sha256` feature flag'
+stderr_file="$(mktemp -t gix-hash-feature-check.XXXXXX)"
+trap 'rm -f "$stderr_file"' EXIT
+
+crates="$(
+    cargo metadata --format-version 1 --no-deps |
+        jq --raw-output '
+            .workspace_members as $members
+            | .packages[] as $pkg
+            | select($members | index($pkg.id))
+            | select($pkg.name | startswith("gix-"))
+            | select($pkg.features | has("sha1") or has("sha256"))
+            | $pkg.name
+        '
+)"
+
+while IFS= read -r crate; do
+    [[ -n "$crate" ]] || continue
+
+    printf 'Checking %s requires explicit hash feature: cargo check -p %s\n' "$crate" "$crate"
+    if cargo check -p "$crate" > /dev/null 2> "$stderr_file"; then
+        printf '%s: error: expected %s to require an explicit hash feature.\n' "$0" "$crate" >&2
+        printf 'Reproduce with: cargo check -p %s\n' "$crate" >&2
+        exit 1
+    fi
+
+    if ! grep -Fq "$hash_feature_error" "$stderr_file"; then
+        printf '%s: error: expected %s to fail with the hash feature message.\n' "$0" "$crate" >&2
+        printf 'Reproduce with: cargo check -p %s\n' "$crate" >&2
+        cat "$stderr_file" >&2
+        exit 1
+    fi
+done <<<"$crates"
@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+#
+# Check every gix-* crate that does not advertise sha1 or sha256 without passing
+# hash features.
+#
+# This protects hash-independent crates from accidentally acquiring a required
+# hash configuration through dependencies. The crate set is derived from Cargo
+# metadata so new crates are covered automatically.
+
+set -euo pipefail
+
+crates="$(
+    cargo metadata --format-version 1 --no-deps |
+        jq --raw-output '
+            .workspace_members as $members
+            | .packages[] as $pkg
+            | select($members | index($pkg.id))
+            | select($pkg.name | startswith("gix-"))
+            | select(($pkg.features | has("sha1") or has("sha256")) | not)
+            | $pkg.name
+        '
+)"
+
+while IFS= read -r crate; do
+    [[ -n "$crate" ]] || continue
+    printf 'Checking %s: cargo check -p %s\n' "$crate" "$crate"
+    cargo check -p "$crate"
+done <<<"$crates"
@@ -17,7 +17,9 @@ doctest = false
 [features]
 default = ["tar", "tar_gz", "zip"]
 ## Enable support for the SHA-1 hash by forwarding the feature to dependencies.
-sha1 = ["gix-worktree-stream/sha1", "gix-object/sha1"]
+sha1 = ["gix-worktree-stream/sha1"]
+## Enable support for the SHA-256 hash by forwarding the feature to dependencies.
+sha256 = ["gix-worktree-stream/sha256"]
 
 ## Enable the `tar` archive format. It has support for all information, except for object ids.
 tar = ["dep:tar", "dep:gix-path"]
 
@@ -13,15 +13,9 @@ include = ["/src/**/*", "/LICENSE-*"]
 
 [features]
 ## Enable support for the SHA-1 hash by forwarding the feature to dependencies.
-sha1 = [
-    "gix-commitgraph/sha1",
-    "gix-diff/sha1",
-    "gix-hash/sha1",
-    "gix-object/sha1",
-    "gix-revwalk/sha1",
-    "gix-traverse/sha1",
-    "gix-worktree/sha1",
-]
+sha1 = ["gix-hash/sha1"]
+## Enable support for the SHA-256 hash by forwarding the feature to dependencies.
+sha256 = ["gix-hash/sha256"]
 
 [dependencies]
 gix-error = { version = "^0.2.3", path = "../gix-error" }
 
@@ -165,8 +165,8 @@ pub fn file(
                             source_file_path: current_file_path.clone(),
                             previous_source_file_path: None,
                             commit_id: suspect,
-                            blob_id: entry.unwrap_or(ObjectId::null(gix_hash::Kind::Sha1)),
-                            previous_blob_id: ObjectId::null(gix_hash::Kind::Sha1),
+                            blob_id: entry.unwrap_or(gix_hash::Kind::shortest().null()),
+                            previous_blob_id: gix_hash::Kind::shortest().null(),
                             parent_index: 0,
                         };
                         blame_path.push(blame_path_entry);
@@ -299,7 +299,7 @@ pub fn file(
                                 previous_source_file_path: None,
                                 commit_id: suspect,
                                 blob_id: id,
-                                previous_blob_id: ObjectId::null(gix_hash::Kind::Sha1),
+                                previous_blob_id: gix_hash::Kind::shortest().null(),
                                 parent_index: index,
                             };
                             blame_path.push(blame_path_entry);