Web lists-archives.com

Re: GIT issue while cloning (fatal: pack is corrupted (SHA1 mismatch)) !!!

On Tue, May 28, 2019 at 09:10:12AM +0000, Vanak, Ibrahim wrote:

> We are seeing issue with GIT 2.14 version. When we try to clone the
> repos, it is taking HUGE amount of time on HPUX, whereas on the linux
> machine with same network configuration, it's getting cloned in less
> than mins. So we want to know has anyone reported this issue? What is
> the fix for this? Has the fix been released for this? Whom should we
> contact for this?

I don't know about the slowness, but...

> Below is the HPUX system where we are seeing issue, it is taking 1 hr 45 mins and later it failed:
> root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx# uname -a
> HP-UX sstl002 B.11.31 U ia64 0158936019 unlimited-user license
> root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx# time git clone git@xxxxxxxxxxxxxx:HPUX/SysFaultMgmt.git
> Cloning into 'SysFaultMgmt'...
> remote: Enumerating objects: 63627, done.
> remote: Total 63627 (delta 0), reused 0 (delta 0), pack-reused 63627
> Receiving objects: 100% (63627/63627), 681.90 MiB | 111.00 KiB/s, done.
> fatal: pack is corrupted (SHA1 mismatch)
> fatal: index-pack failed

Git v2.14 uses the sha1collision-detection implementation of sha1 by
default. That has a bug that was fixed recently with:

  commit 4125f78222749cb8fc91115abec3ac83e5dfb194
  Author: Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx>
  Date:   Tue May 14 00:17:01 2019 +0200
      sha1dc: update from upstream
      Update sha1dc from the latest version by the upstream
      maintainer[1]. See 07a20f569b ("Makefile: fix unaligned loads in
      sha1dc with UBSan", 2019-03-12) for the last update.
      This fixes an issue where HP-UX IA64 was wrongly detected as a
      Little-endian instead of a Big-endian system, see [2] and [3].
      1. https://github.com/cr-marcstevens/sha1collisiondetection/commit/855827c583bc30645ba427885caa40c5b81764d2
      2. https://public-inbox.org/git/603989bd-f86d-c61d-c6f5-fb6748a65ba9@xxxxxxxxxxx/
      3. https://github.com/cr-marcstevens/sha1collisiondetection/pull/50

which looks like it would impact your system. You can either:

  1. Try v2.22.0-rc1, which will be the first release with that fix.

  2. Try cherry-picking the various fixes on top of v2.14.0:

       git checkout v2.14.0
       git cherry-pick 23e37f8e9d5961c0c8d52ac481693d3fca5309ce
       git cherry-pick 07a20f569b4b1690e717eaac0954007a8edfbfc2
       git cherry-pick 4125f78222749cb8fc91115abec3ac83e5dfb194

  3. Compile with another sha1 implementation. E.g.:

       # if you have openssl available; otherwise,
       # try BLK_SHA1
       echo 'OPENSSL_SHA1 = Yes' >config.mak

     Note that you won't be protected from collision attacks, but those
     are still impractically expensive to mount at this point. It may be
     a good tradeoff until you can upgrade to a more recent Git.