[llimllib]

Don't set fsckobjects=true. There are normal repositories that have broken trees which will not download if you have it set. Yes it is irritating and I would rather turn it on, but I had to turn it off after several repos failed for me.

Git doesn't check validity of commit hashes by default: https://groups.google.com/forum/#!topic/binary-transparency/...

[peff]

I'm not sure what you mean by this last sentence. But Git always computes the SHA1 of incoming objects (that's how it knows that the SHA1 is; the other side doesn't send it). And it likewise confirms that it has every object which is referenced by the newly fetched history.

The fsckObjects settings are entirely separate from the SHA. They are about syntactic and semantic rules in the objects themselves (e.g., well-formatted committer name/dates, tree filenames that don't contain "/", etc).

[scottnonnenberg]

Wouldn't it make sense to turn that off per-project when you encounter it?

[llimllib]

That wasn't a hassle I was willing to deal with, I guess at least know that you're going to be doing that if you enable it.

IIRC, the jquery repo was an example of one with a bad object hash.