[Pulp-dev] Removing MD5 and SHA-1 as default available checksums in 3.11

Thu Mar 11 08:52:23 UTC 2021

Well, just because it's documented does not mean it's true. Seems like the
wiki is expressing a dream then.
Thank you for sharing your experience.

On Thu, Mar 11, 2021 at 9:44 AM Neal Gompa <ngompa13 at gmail.com> wrote:

> On Thu, Mar 11, 2021 at 3:31 AM Matthias Dellweg <mdellweg at redhat.com>
> wrote:
> >
> >
> >
> > On Thu, Mar 11, 2021 at 9:13 AM Neal Gompa <ngompa13 at gmail.com> wrote:
> >>
> >> On Wed, Mar 10, 2021 at 10:20 PM Brian Bouterse <bmbouter at redhat.com>
> wrote:
> >> >
> >> > Thanks Quirin for the questions. I put my understanding and
> recommendations inline. Other devs please share your perspectives and
> advice, especially if they differ from what is written here. More questions
> and discussion are welcome. This is complicated stuff, but we want to be
> here to help.
> >> >
> >> > On Wed, Mar 10, 2021 at 11:40 AM Quirin Pamp <pamp at atix.de> wrote:
> >> >>
> >> >> To summarize: I am uncertain how best to proceed, but perhaps I am
> overthinking this and simply respecting ALLOWED_CONTENT_CHECKSUMS and
> letting users decide is best.
> >> >
> >> > The question I'll ask to help answer yours is: how much does pulp_deb
> break with 3.11's defaults? This would be good to know. Want to run a few
> tests and let us know? Maybe we can help give more info with that.
> >> >
> >> > Aside from that, my general advice is to expect that pulp_deb users
> will change this setting, and to have the pulp_deb code work with the
> checksums it has available and error when it cannot fulfill their request
> due to not having the checksums it would need to do so.
> >>
> >> There is one difference between the RPM ecosystem and the Debian
> >> ecosystem here. APT will absolutely choke on a repository if MD5 is
> >> missing, even if it won't use it for "integrity". Various aspects of
> the Debian
> >> ecosystem still use MD5 because it's the only guaranteed algorithm.
> >>
> >> Two major points where it's still mandatory:
> >>
> >> * Debian Source Control files and repodata generated for "sources".
> >> The dsc file (ex. rpm[1]) uses MD5 for *file list*, and that's *not*
> >> optional. There *are* extra Checksums sections that you're supposed to
> >> use for integrity verification, but they are technically optional, and
> >> the only *guaranteed* algorithm is MD5, which is used for the Files
> >> section.
> >>
> >> * Debian InRelease and other repodata index files. The InRelease file
> >> (ex. Ubuntu 20.04[2]) *guarantees* MD5Sums (note capital "S") for the
> >> file list, and while the current advice is that clients *must* also
> >> request a SHA2 algorithm to verify the integrity of the files, the
> >> first section using MD5 *must* be present or the repodata is invalid.
> >>
> >> The repository format wiki page[3] somewhat details this (though being
> >> a wiki page, it's as inconsistent as any other wiki page, yay?).
> >
> >
> > Reading this section from the Wiki page you mention, I understand that
> everything but SHA256 is indeed optional in the Release file (and i assume
> the InRelease file too).
> >
> > Servers shall provide the InRelease file, and might provide a Release
> files and its signed counterparts with at least the following keys:
> >
> > Suite and/or Codename
> > Architectures
> > Components
> > Date
> > SHA256
> >
> > Still having a unsigned Release file and MD5Sum is currently highly
> recommended.
>
> Unsigned Release is probably the only truly optional part (and that's
> needed for pre-2016 APT versions), but in practice, I haven't been
> able to leave out MD5Sum from APT repository metadata without breaking
> clients. Admittedly, I haven't tried recently (as in not in the last
> couple of years, the last time I tried was in the Ubuntu 17.04
> timeframe).
>
>
>
>
> --
> 真実はいつも一つ！/ Always, there's only one truth!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-dev/attachments/20210311/d2bd5eb7/attachment.htm>