On Tue, May 28 2019, Jeff King wrote:
> On Tue, May 28, 2019 at 09:10:12AM +0000, Vanak, Ibrahim wrote:
>
>> We are seeing issue with GIT 2.14 version. When we try to clone the
>> repos, it is taking HUGE amount of time on HPUX, whereas on the linux
>> machine with same network configuration, it's getting cloned in less
>> than mins. So we want to know has anyone reported this issue? What is
>> the fix for this? Has the fix been released for this? Whom should we
>> contact for this?
>
> I don't know about the slowness, but...
>
>> Below is the HPUX system where we are seeing issue, it is taking 1 hr 45 mins and later it failed:
>>
>> root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx# uname -a
>> HP-UX sstl002 B.11.31 U ia64 0158936019 unlimited-user license
>> root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx# time git clone git@xxxxxxxxxxxxxx:HPUX/SysFaultMgmt.git
>> Cloning into 'SysFaultMgmt'...
>> remote: Enumerating objects: 63627, done.
>> remote: Total 63627 (delta 0), reused 0 (delta 0), pack-reused 63627
>> Receiving objects: 100% (63627/63627), 681.90 MiB | 111.00 KiB/s, done.
>> fatal: pack is corrupted (SHA1 mismatch)
>> fatal: index-pack failed
>
> Git v2.14 uses the sha1collision-detection implementation of sha1 by
> default. That has a bug that was fixed recently with:
>
> commit 4125f78222749cb8fc91115abec3ac83e5dfb194
> Author: Ævar Arnfjörð Bjarmason <avarab@xxxxxxxxx>
> Date: Tue May 14 00:17:01 2019 +0200
>
> sha1dc: update from upstream
>
> Update sha1dc from the latest version by the upstream
> maintainer[1]. See 07a20f569b ("Makefile: fix unaligned loads in
> sha1dc with UBSan", 2019-03-12) for the last update.
>
> This fixes an issue where HP-UX IA64 was wrongly detected as a
> Little-endian instead of a Big-endian system, see [2] and [3].
>
> 1. https://github.com/cr-marcstevens/sha1collisiondetection/commit/855827c583bc30645ba427885caa40c5b81764d2
> 2. https://public-inbox.org/git/603989bd-f86d-c61d-c6f5-fb6748a65ba9@xxxxxxxxxxx/
> 3. https://github.com/cr-marcstevens/sha1collisiondetection/pull/50
>
> which looks like it would impact your system. You can either:
>
> 1. Try v2.22.0-rc1, which will be the first release with that fix.
>
> 2. Try cherry-picking the various fixes on top of v2.14.0:
>
> git checkout v2.14.0
> git cherry-pick 23e37f8e9d5961c0c8d52ac481693d3fca5309ce
> git cherry-pick 07a20f569b4b1690e717eaac0954007a8edfbfc2
> git cherry-pick 4125f78222749cb8fc91115abec3ac83e5dfb194
>
> 3. Compile with another sha1 implementation. E.g.:
>
> # if you have openssl available; otherwise,
> # try BLK_SHA1
> echo 'OPENSSL_SHA1 = Yes' >config.mak
> make
>
> Note that you won't be protected from collision attacks, but those
> are still impractically expensive to mount at this point. It may be
> a good tradeoff until you can upgrade to a more recent Git.
>
> -Peff
As a follow-up perhaps we should hash_object_file_literally() early in
main() (or maybe just clone & init) to detect this issue & exit with
some "zomg broken!".
Vanak: Also, this issue suggests whoever compiled the package you're
using (you?) installed it with a failing "make test", so a lot of other
things may be broken...
