New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error building without CGO #624
Comments
@dornimaug thanks for reporting this. I will take a look at it later on today. In the mean time, you may want to replace the go-git version with a version that preceded the change:
|
FWIW, same issue here:
|
@pjbgf is this fix related to this:
I'm still getting the same error if I set If I set it to
|
Also just out of curiosity, why did we change the hashing library? Was it for better collision detection? |
@sithembiso the fix for
That should enable you to build with cgo disabled. As for the issue whilst vendoring, I will take a look and let you know. As for the second question, TL;DR: SHA1 is no longer a secure hash algorithm to be used. The key Git implementations rely on a collision detection SHA1 version which can detect the patterns of a hash attack and produce circumvent it by yielding a different hash instead. Here's some info on the SHA1's state: https://shattered.io/. More info on when the Git CLI incorporated the same changes: git/git@28dc98e. |
Hello @sithembiso, |
It appears the issue was as a result if @pjbgf Thank you for the explanation and the resources. I was aware of SHA1's security issues, but I was wondering why we should consider "fixing" the SHA1 issues instead of moving to something like SHA256. I know it's naive of me considering how big a task that is. |
Hello @sithembiso, your modification (embedding C sources in an unused variable), although it’s working perfectly fine, seems more like a workaround to me than a solution to the root problem (C sources being in a subfolder which Go module vendoring deliberately ignores golang/go#26366 (comment)). Have you tried my solution attempt? |
@yann-soubeyrand thank you taking a look at this. I did try to load your package, but the files were still getting left behind for some reason. I don't know a lot about the internals of the vendoring tool, but I just assumed that it's only looking at the |
I just checked, it works. I think
And it builds now. |
@dornimaug @sithembiso @eddycharly with the latest version of sha1cd those issues are now resolved:
I updated #625 so once merged this is no longer an issue. Thanks @sithembiso @yann-soubeyrand for helping getting this resolved. |
i just updated this dependency and ran into an error, because our CI-Servers don't have gcc installed. if there is now a dependency that uses cgo, shouldn't the readme be updated to remove the note about the "pure go" implementation? |
Cgo is optional and the build should work without it. However, one now has to set |
* Update misc modules * Pin back go-git to v5.4.2, see: go-git/go-git#624 Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Laszlo Uveges <laszlo@giantswarm.io>
Trying to built a program using go-git v5.5.0 with CGO_ENABLED set to 0 results in an error:
This seems to have been added/changed in #618.
Using
as suggested in the PR, does not fix the problem.
The text was updated successfully, but these errors were encountered: