Thread (14 messages) 14 messages, 5 authors, 2019-06-28

Re: GIT issue while cloning (fatal: pack is corrupted (SHA1 mismatch)) !!!

From: Ævar Arnfjörð Bjarmason <hidden>
Date: 2019-05-28 09:51:26 

On Tue, May 28 2019, Jeff King wrote:

On Tue, May 28, 2019 at 09:10:12AM +0000, Vanak, Ibrahim wrote:
quoted
We are seeing issue with GIT 2.14 version. When we try to clone the
repos, it is taking HUGE amount of time on HPUX, whereas on the linux
machine with same network configuration, it's getting cloned in less
than mins. So we want to know has anyone reported this issue? What is
the fix for this? Has the fix been released for this? Whom should we
contact for this?
I don't know about the slowness, but...
quoted
Below is the HPUX system where we are seeing issue, it is taking 1 hr 45 mins and later it failed:

root@sstl002.in.rdlabs.hpecorp.net# uname -a
HP-UX sstl002 B.11.31 U ia64 0158936019 unlimited-user license
root@sstl002.in.rdlabs.hpecorp.net# time git clone git@github.hpe.com:HPUX/SysFaultMgmt.git
Cloning into 'SysFaultMgmt'...
remote: Enumerating objects: 63627, done.
remote: Total 63627 (delta 0), reused 0 (delta 0), pack-reused 63627
Receiving objects: 100% (63627/63627), 681.90 MiB | 111.00 KiB/s, done.
fatal: pack is corrupted (SHA1 mismatch)
fatal: index-pack failed
Git v2.14 uses the sha1collision-detection implementation of sha1 by
default. That has a bug that was fixed recently with:

  commit 4125f78222749cb8fc91115abec3ac83e5dfb194
  Author: Ævar Arnfjörð Bjarmason [off-list ref]
  Date:   Tue May 14 00:17:01 2019 +0200

      sha1dc: update from upstream

      Update sha1dc from the latest version by the upstream
      maintainer[1]. See 07a20f569b ("Makefile: fix unaligned loads in
      sha1dc with UBSan", 2019-03-12) for the last update.

      This fixes an issue where HP-UX IA64 was wrongly detected as a
      Little-endian instead of a Big-endian system, see [2] and [3].

      1. https://github.com/cr-marcstevens/sha1collisiondetection/commit/855827c583bc30645ba427885caa40c5b81764d2
      2. https://public-inbox.org/git/603989bd-f86d-c61d-c6f5-fb6748a65ba9@siemens.com/
      3. https://github.com/cr-marcstevens/sha1collisiondetection/pull/50

which looks like it would impact your system. You can either:

  1. Try v2.22.0-rc1, which will be the first release with that fix.

  2. Try cherry-picking the various fixes on top of v2.14.0:

       git checkout v2.14.0
       git cherry-pick 23e37f8e9d5961c0c8d52ac481693d3fca5309ce
       git cherry-pick 07a20f569b4b1690e717eaac0954007a8edfbfc2
       git cherry-pick 4125f78222749cb8fc91115abec3ac83e5dfb194

  3. Compile with another sha1 implementation. E.g.:

       # if you have openssl available; otherwise,
       # try BLK_SHA1
       echo 'OPENSSL_SHA1 = Yes' >config.mak
       make

     Note that you won't be protected from collision attacks, but those
     are still impractically expensive to mount at this point. It may be
     a good tradeoff until you can upgrade to a more recent Git.

-Peff
As a follow-up perhaps we should hash_object_file_literally() early in
main() (or maybe just clone & init) to detect this issue & exit with
some "zomg broken!".

Vanak: Also, this issue suggests whoever compiled the package you're
using (you?) installed it with a failing "make test", so a lot of other
things may be broken...
Related discussions
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help