[Pulp-dev] Removing MD5 and SHA-1 as default available checksums in 3.11

Thu Mar 11 08:11:59 UTC 2021

On Wed, Mar 10, 2021 at 10:20 PM Brian Bouterse <bmbouter at redhat.com> wrote:
>
> Thanks Quirin for the questions. I put my understanding and recommendations inline. Other devs please share your perspectives and advice, especially if they differ from what is written here. More questions and discussion are welcome. This is complicated stuff, but we want to be here to help.
>
> On Wed, Mar 10, 2021 at 11:40 AM Quirin Pamp <pamp at atix.de> wrote:
>>
>> To summarize: I am uncertain how best to proceed, but perhaps I am overthinking this and simply respecting ALLOWED_CONTENT_CHECKSUMS and letting users decide is best.
>
> The question I'll ask to help answer yours is: how much does pulp_deb break with 3.11's defaults? This would be good to know. Want to run a few tests and let us know? Maybe we can help give more info with that.
>
> Aside from that, my general advice is to expect that pulp_deb users will change this setting, and to have the pulp_deb code work with the checksums it has available and error when it cannot fulfill their request due to not having the checksums it would need to do so.

There is one difference between the RPM ecosystem and the Debian
ecosystem here. APT will absolutely choke on a repository if MD5 is
missing, even if it won't use it for "integrity". Various aspects of the Debian
ecosystem still use MD5 because it's the only guaranteed algorithm.

Two major points where it's still mandatory:

* Debian Source Control files and repodata generated for "sources".
The dsc file (ex. rpm[1]) uses MD5 for *file list*, and that's *not*
optional. There *are* extra Checksums sections that you're supposed to
use for integrity verification, but they are technically optional, and
the only *guaranteed* algorithm is MD5, which is used for the Files
section.

* Debian InRelease and other repodata index files. The InRelease file
(ex. Ubuntu 20.04[2]) *guarantees* MD5Sums (note capital "S") for the
file list, and while the current advice is that clients *must* also
request a SHA2 algorithm to verify the integrity of the files, the
first section using MD5 *must* be present or the repodata is invalid.

The repository format wiki page[3] somewhat details this (though being
a wiki page, it's as inconsistent as any other wiki page, yay?).

Probably the correct thing to do here is to make it possible to
propagate the correct error information up so that users can be
informed about missing algorithms and *why* so they can enable it. And
if any installer is going to do Pulp with Debian, they also can't ask
for weak algorithms to be disabled.

[1]: http://archive.ubuntu.com/ubuntu/pool/universe/r/rpm/rpm_4.14.2.1+dfsg1-1build2.dsc
[2]: http://archive.ubuntu.com/ubuntu/dists/focal/InRelease
[3]: https://wiki.debian.org/DebianRepository/Format

--
真実はいつも一つ！/ Always, there's only one truth!