[Pulp-list] Removing MD5 and SHA-1 as default available checksums in 3.11

Daniel Alley dalley at redhat.com
Mon Feb 15 02:21:39 UTC 2021 

>
> RPM and Migration plugin users will need to add this back in at 3.11
> upgrade time for your systems to continue working.


Just to clarify, this only applies if you are using RPM repositories that
use MD5 or SHA1 checksums.  None of the Red Hat or CentOS repositories for
RHEL / CentOS 8 do, and only a couple of the RHEL / CentOS 7 repositories
do, mosty the smaller and less used ones.

MD5 can be left disabled unless you are managing extremely old or
misconfigured repositories.

On Fri, Feb 12, 2021 at 3:13 PM Brian Bouterse <bmbouter at redhat.com> wrote:

> tl;dr With pulpcore 3.11, the plan is to remove MD5 and SHA-1 from the
> list of default available checksums.  RPM and Migration plugin users will
> need to add this back in at 3.11 upgrade time for your systems to continue
> working. Please give on-list feedback on this change.
>
> ## Background
>
> Pulp has the ALLOWED_CONTENT_CHECKSUMS setting [0] which, by default,
> currently includes md5, sha-1, sha-224, sha-256, sha-384, and sha-512. Pulp
> code is restricted to only using hashers from this list. This feature gives
> admins the ability to prohibit hashers they do not trust. Pulp uses these
> checksums for package integrity verification purposes when syncing and
> publishing content.
>
> ## Motivation
>
> We need to make Pulp secure by default. MD5 is known to be insecure, and
> therefore it is unsafe for Pulp to allow its use for calculating package
> integrity by default. SHA-1 is widely believed to be insecure, or will be
> soon, and should not be allowed by default for the same reason.
>
> ## Proposal
>
> Pulpcore 3.11 would remove md5 and sha-1 from the default list of allowed
> checksums, leaving sha-224..sha-512. Specifically this change is occuring
> in the `ALLOWED_CONTENT_CHECKSUMS` setting [0]. This is only a change to
> the default settings; any specific system can be configured as desired.
> Nothing is "being taken away".
>
> ## Required User Action with 3.11
>
> We believe both RPM plugin users and Migration plugin users will be
> impacted by this and mostly from the SHA-1 removal. SHA-1 is still used on
> a variety of CDNs including Red Hat's. Also as data is migrated from Pulp2
> systems, this also likely uses SHA-1 and MD5 as the migration plugin runs.
>
> If users are using the defaults for `ALLOWED_CONTENT_CHECKSUMS` and want
> to continue using SHA-1, they will need to update
> `ALLOWED_CONTENT_CHECKSUMS` in their settings file. Alternatively, users
> will need to run `pulpcore-manager handle-artifact-checksums` after upgrade
> to update any existing artifacts after upgrading.
>
> ## Why not automate this?
>
> We do not take manual user action at upgrade time lightly. However, this
> is a security change, and we believe we need each Pulp system to opt-in for
> themselves.
>
> [0]:
> https://docs.pulpproject.org/pulpcore/settings.html#allowed-content-checksums
>
> Thanks!
> The Pulpcore Team
> _______________________________________________
> Pulp-list mailing list
> Pulp-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pulp-list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20210214/7c00a83d/attachment.htm>

More information about the Pulp-list mailing list