Web lists-archives.com

Re: HP-UX (git-2.14.0) Depot File / Source Code Build throws SHA1 Error

On Fri, Sep 01, 2017 at 03:04:36PM +0100, josephpattara . wrote:

> Dear HP-UX Git Maintainers,
> Sending this email as I was trying to use the HP-UX depot file which
> was recently committed to the
> http://hpux.connectinternetsolutions.com/hppd/hpux/Development/Tools/git-2.14.0/.
> I tried to use the depot file and also attempted to build the code
> from the adapted source code (using native HP-UX compiler as mentioned
> in Installation Note) from the website.

I don't know anything about HP-UX, but I can tell you a few things from
the Git side...

> But unfortunately both of them failed with an error:
> Cloning into xxxx...
> remote: Counting objects: 19813, done.
> remote: Compressing objects: 100% (9124/9124), done.
> remote: Total 19813 (delta 10340), reused 16358 (delta 8293)
> Receiving objects: 100% (19813/19813), 6.07 MiB | 9.72 MiB/s, done.
> fatal: pack is corrupted (SHA1 mismatch)
> fatal: index-pack failed

Assuming there's no corruption happening on the network, it looks like
there's a bug in the SHA-1 routines of your build. One very basic check
would be to run:

  echo foo | git hash-object --stdin

which should produce:


(If it does that's not a guarantee that there aren't problems with more
complex inputs, but if it produces a different sha1 that's a clear sign
of a sha1 issue).

> Looking at the dynamic link I can see the below:
> _HP_DLDOPTS="-ldd" /usr/bin/git
>   /usr/lib/hpux32/libpthread.so =>        /usr/lib/hpux32/libpthread.so
>   libpthread.so.1 =>      /usr/lib/hpux32/libpthread.so.1
>   libz.so =>      /usr/local/lib/hpux32/libz.so
>   libiconv.so =>  /usr/local/lib/hpux32/libiconv.so
>   libintl.so =>   /usr/local/lib/hpux32/libintl.so
>   libc.so.1 =>    /usr/lib/hpux32/libc.so.1
>   libdl.so.1 =>   /usr/lib/hpux32/libdl.so.1
>   Until recently we were using the older GIT version for HP-UX
> and I can see the older GIT had a dynamic link for libcrypto.so.

Git can build against several SHA-1 implementations. In v2.13 and up,
the default is the collision-detecting version publicized as part of the
SHAttered attacks earlier this year. We have had a few problems with it
misbehaving on uncommon platforms or compilers, so it seems a likely
candidate here.

You can try building with "make OPENSSL_SHA1=Yes" to use openssl instead
of the collision-detecting version. You can also try "make BLK_SHA1=Yes"
if you have trouble building against openssl for whatever reason.

> The clarification I have is
> 1. Is the version 2.14.0 from HPUX connect is it really usable (depot
> file and also the source code)

That I don't know. I took a peek at the diff between their source and a
pristine v2.14.0 tarball, and I don't see anything too exotic. So you
could try the upstream code from:


but I suspect the problem would still exist.

> 2. Was it deliberate to remove the openssl linkage from the new GIT or
> am I really missing any special configure or build flags to enable the
> libcrypto.so linkage.

Yes, the default flipped but you can still change it. See above.

> 3. Is the SHA1 error which I get is it really to do with the missing
> libcrypto.so or I am on a wrong inference track?

I think it's likely that you're on the right track.