On Mon, Aug 12, 2019 at 12:15:19PM +0200, Jacob Vosmaer wrote: > This is a tangent, but relevant: how do we feel about the fact that > 'git bundle create' does not perform CRC32 checks when copying data > out of an existing packfile? > > See https://github.com/git/git/blob/v2.22.0/builtin/pack-objects.c#L2614-L2622 . > > I understand the rationale of "skip CRC32 when serving a fetch", > although I have no clue how much we gain from skipping it. But "pack > to stdout means fetch" isn't quite accurate, as it includes bundles. I don't recall it being discussed in the past. I think you could argue either way: - a bundle is just another form of object transfer, like a fetch, and so we don't need to be careful about bitrot. The receiver would notice it when it indexes the pack (as opposed to an on-disk repack, where we'll immediately delete the old copy, and really want to make sure we haven't just lost data). - because a bundle isn't interactive like a regular fetch, any bit errors may not be seen until much later when somebody reads the. At that point it may not be possible to go back to the original repo (in the extreme case of using a bundle as a backup, it may have been deleted entirely!). Depending on the cost of those checks (and I really doubt they are all _that_ expensive), it might make sense for bundles to err on the conservative side and do them. And if they are expensive, it should perhaps be made an option for people who know they are planning to store the bundle for a long time without reading it[1]. I agree that linking "skip CRC32" to "pack to stdout" is a bit hacky. It should be easy to add a new --check-crc32 option which defaults to "!pack_to_stdout" if not specified. -Peff [1] Of course bitrot in the original packfile is just one place this can go wrong. Depending how paranoid you want to be, it might be worth reading back the result before considering it a valid backup. That would catch some software bugs, as well as any bit corruption on the writing side. Doing a full index-pack is the most robust way there, but it's quite expensive. Just checking the SHA1 of the packfile itself would give pretty good protection against write errors, though you'd definitely want to couple it with CRC32 checks on the source (since Git would otherwise include the bad bits in its SHA1 checksum).
