[Pulp-dev] Removing MD5 and SHA-1 as default available checksums in 3.11
mdellweg at redhat.com
Thu Mar 11 08:30:58 UTC 2021
On Thu, Mar 11, 2021 at 9:13 AM Neal Gompa <ngompa13 at gmail.com> wrote:
> On Wed, Mar 10, 2021 at 10:20 PM Brian Bouterse <bmbouter at redhat.com>
> > Thanks Quirin for the questions. I put my understanding and
> recommendations inline. Other devs please share your perspectives and
> advice, especially if they differ from what is written here. More questions
> and discussion are welcome. This is complicated stuff, but we want to be
> here to help.
> > On Wed, Mar 10, 2021 at 11:40 AM Quirin Pamp <pamp at atix.de> wrote:
> >> To summarize: I am uncertain how best to proceed, but perhaps I am
> overthinking this and simply respecting ALLOWED_CONTENT_CHECKSUMS and
> letting users decide is best.
> > The question I'll ask to help answer yours is: how much does pulp_deb
> break with 3.11's defaults? This would be good to know. Want to run a few
> tests and let us know? Maybe we can help give more info with that.
> > Aside from that, my general advice is to expect that pulp_deb users will
> change this setting, and to have the pulp_deb code work with the checksums
> it has available and error when it cannot fulfill their request due to not
> having the checksums it would need to do so.
> There is one difference between the RPM ecosystem and the Debian
> ecosystem here. APT will absolutely choke on a repository if MD5 is
> missing, even if it won't use it for "integrity". Various aspects of the
> ecosystem still use MD5 because it's the only guaranteed algorithm.
> Two major points where it's still mandatory:
> * Debian Source Control files and repodata generated for "sources".
> The dsc file (ex. rpm) uses MD5 for *file list*, and that's *not*
> optional. There *are* extra Checksums sections that you're supposed to
> use for integrity verification, but they are technically optional, and
> the only *guaranteed* algorithm is MD5, which is used for the Files
> * Debian InRelease and other repodata index files. The InRelease file
> (ex. Ubuntu 20.04) *guarantees* MD5Sums (note capital "S") for the
> file list, and while the current advice is that clients *must* also
> request a SHA2 algorithm to verify the integrity of the files, the
> first section using MD5 *must* be present or the repodata is invalid.
> The repository format wiki page somewhat details this (though being
> a wiki page, it's as inconsistent as any other wiki page, yay?).
Reading this section from the Wiki page you mention, I understand that
everything but SHA256 is indeed optional in the Release file (and i assume
the InRelease file too).
*Servers shall provide the InRelease file, and might provide a Release
files and its signed counterparts with at least the following keys: *
- *Suite and/or Codename *
- *Architectures *
- *Components *
- *Date *
- *SHA256 *
*Still having a unsigned Release file and MD5Sum is currently highly
> Probably the correct thing to do here is to make it possible to
> propagate the correct error information up so that users can be
> informed about missing algorithms and *why* so they can enable it. And
> if any installer is going to do Pulp with Debian, they also can't ask
> for weak algorithms to be disabled.
> : http://archive.ubuntu.com/ubuntu/dists/focal/InRelease
> : https://wiki.debian.org/DebianRepository/Format
> 真実はいつも一つ！/ Always, there's only one truth!
> Pulp-dev mailing list
> Pulp-dev at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Pulp-dev