[Pulp-dev] Removing MD5 and SHA-1 as default available checksums in 3.11

Matthias Dellweg mdellweg at redhat.com
Thu Mar 11 08:30:58 UTC 2021 

On Thu, Mar 11, 2021 at 9:13 AM Neal Gompa <ngompa13 at gmail.com> wrote:

> On Wed, Mar 10, 2021 at 10:20 PM Brian Bouterse <bmbouter at redhat.com>
> wrote:
> >
> > Thanks Quirin for the questions. I put my understanding and
> recommendations inline. Other devs please share your perspectives and
> advice, especially if they differ from what is written here. More questions
> and discussion are welcome. This is complicated stuff, but we want to be
> here to help.
> >
> > On Wed, Mar 10, 2021 at 11:40 AM Quirin Pamp <pamp at atix.de> wrote:
> >>
> >> To summarize: I am uncertain how best to proceed, but perhaps I am
> overthinking this and simply respecting ALLOWED_CONTENT_CHECKSUMS and
> letting users decide is best.
> >
> > The question I'll ask to help answer yours is: how much does pulp_deb
> break with 3.11's defaults? This would be good to know. Want to run a few
> tests and let us know? Maybe we can help give more info with that.
> >
> > Aside from that, my general advice is to expect that pulp_deb users will
> change this setting, and to have the pulp_deb code work with the checksums
> it has available and error when it cannot fulfill their request due to not
> having the checksums it would need to do so.
>
> There is one difference between the RPM ecosystem and the Debian
> ecosystem here. APT will absolutely choke on a repository if MD5 is
> missing, even if it won't use it for "integrity". Various aspects of the
> Debian
> ecosystem still use MD5 because it's the only guaranteed algorithm.
>
> Two major points where it's still mandatory:
>
> * Debian Source Control files and repodata generated for "sources".
> The dsc file (ex. rpm[1]) uses MD5 for *file list*, and that's *not*
> optional. There *are* extra Checksums sections that you're supposed to
> use for integrity verification, but they are technically optional, and
> the only *guaranteed* algorithm is MD5, which is used for the Files
> section.
>
> * Debian InRelease and other repodata index files. The InRelease file
> (ex. Ubuntu 20.04[2]) *guarantees* MD5Sums (note capital "S") for the
> file list, and while the current advice is that clients *must* also
> request a SHA2 algorithm to verify the integrity of the files, the
> first section using MD5 *must* be present or the repodata is invalid.
>
> The repository format wiki page[3] somewhat details this (though being
> a wiki page, it's as inconsistent as any other wiki page, yay?).
>

Reading this section from the Wiki page you mention, I understand that
everything but SHA256 is indeed optional in the Release file (and i assume
the InRelease file too).

*Servers shall provide the InRelease file, and might provide a Release
files and its signed counterparts with at least the following keys: *

   - *Suite and/or Codename *
   - *Architectures *
   - *Components *
   - *Date *
   - *SHA256 *

*Still having a unsigned Release file and MD5Sum is currently highly
recommended. *


> Probably the correct thing to do here is to make it possible to
> propagate the correct error information up so that users can be
> informed about missing algorithms and *why* so they can enable it. And
> if any installer is going to do Pulp with Debian, they also can't ask
> for weak algorithms to be disabled.
>
> [1]:
> http://archive.ubuntu.com/ubuntu/pool/universe/r/rpm/rpm_4.14.2.1+dfsg1-1build2.dsc
> [2]: http://archive.ubuntu.com/ubuntu/dists/focal/InRelease
> [3]: https://wiki.debian.org/DebianRepository/Format
>
>
>
> --
> 真実はいつも一つ!/ Always, there's only one truth!
>
>
> _______________________________________________
> Pulp-dev mailing list
> Pulp-dev at redhat.com
> https://listman.redhat.com/mailman/listinfo/pulp-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20210311/06af195a/attachment.htm>

More information about the Pulp-dev mailing list