Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1057057: debian-policy: Please make Checksums-Sha1 optional
1 view
Skip to first unread message
Dimitri John Ledkov
Nov 28, 2023, 5:30:04 PM11/28/23
to
Package: debian-policy
Version: 4.6.2.0
Severity: wishlist
Tags: patch
Dear Maintainer,
SHA1 is an obsolete checksum method. For example NIST recommends to
phase out all usage of SHA1 by 2030. Currently it is generated in .dsc
and .changes files and validated. It does not bring any additional
security measures over SHA256 that is already present. Unlike
Files/Md5 it is in fact optional and is trivial to drop.
Please consider making Checksums-Sha1 optional in .dsc and .changes.
All basic tooling handles lack of Checksums-Sha1 gracefully, as they
are already not treated as trusted.
Launchpad accepts uploads without Checksums-Sha1.
Dak currently requires Checksums-Sha1, but I am happy to facilitate in
patching dak to make Checksums-Sha1 optional if this bug report is
accepted.
I have not checked other tools like Open Build Service, Artifactory,
etc.
Example files:
https://ppa.launchpadcontent.net/yolo4k/kernels/ubuntu/pool/main/h/hello/hello_2.10-2ubuntu5.dsc
https://launchpadlibrarian.net/699972411/hello_2.10-2ubuntu5_source.changes
Regards,
Dimitri.
Version: 4.6.2.0
Severity: wishlist
Tags: patch
Dear Maintainer,
SHA1 is an obsolete checksum method. For example NIST recommends to
phase out all usage of SHA1 by 2030. Currently it is generated in .dsc
and .changes files and validated. It does not bring any additional
security measures over SHA256 that is already present. Unlike
Files/Md5 it is in fact optional and is trivial to drop.
Please consider making Checksums-Sha1 optional in .dsc and .changes.
All basic tooling handles lack of Checksums-Sha1 gracefully, as they
are already not treated as trusted.
Launchpad accepts uploads without Checksums-Sha1.
Dak currently requires Checksums-Sha1, but I am happy to facilitate in
patching dak to make Checksums-Sha1 optional if this bug report is
accepted.
I have not checked other tools like Open Build Service, Artifactory,
etc.
Example files:
https://ppa.launchpadcontent.net/yolo4k/kernels/ubuntu/pool/main/h/hello/hello_2.10-2ubuntu5.dsc
https://launchpadlibrarian.net/699972411/hello_2.10-2ubuntu5_source.changes
Regards,
Dimitri.
Russ Allbery
Nov 28, 2023, 6:10:04 PM11/28/23
to
Dimitri John Ledkov <dimitri...@canonical.com> writes:
> Dak currently requires Checksums-Sha1, but I am happy to facilitate in
> patching dak to make Checksums-Sha1 optional if this bug report is
> accepted.
The field is documented as mandatory precisely because DAK requires it,
> Dak currently requires Checksums-Sha1, but I am happy to facilitate in
> patching dak to make Checksums-Sha1 optional if this bug report is
> accepted.
which makes it mandatory for Debian packages. As soon as DAK doesn't
require it, I'm happy to make it optional (and indeed it would arguably be
a bug in Policy if it's optional in the archive but Policy claims it's
mandatory).
--
Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
Holger Levsen
Nov 28, 2023, 7:10:05 PM11/28/23
to
hi,
snapshot.d.o also uses sha1 sums, at least internally, but I'd not
surprised if also for external verification.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
Reporter: You're the first person ever to win two Olympic tennis gold medals.
That's an extraordinary feat, isn't it?
Andy Murray: I think Venus and Serena have won about four each.
snapshot.d.o also uses sha1 sums, at least internally, but I'd not
surprised if also for external verification.
--
cheers,
Holger
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ holger@(debian|reproducible-builds|layer-acht).org
⢿⡄⠘⠷⠚⠋⠀ OpenPGP: B8BF54137B09D35CF026FE9D 091AB856069AAA1C
⠈⠳⣄
Reporter: You're the first person ever to win two Olympic tennis gold medals.
That's an extraordinary feat, isn't it?
Andy Murray: I think Venus and Serena have won about four each.
Dimitri John Ledkov
Nov 28, 2023, 7:20:03 PM11/28/23
to
Hi,
On Wed, 29 Nov 2023 at 00:05, Holger Levsen <hol...@layer-acht.org> wrote:
>
> hi,
>
> snapshot.d.o also uses sha1 sums, at least internally, but I'd not
> surprised if also for external verification.
At the moment I am trying to focus on contents of .dsc and .changes
only, not the InReleases Packages etc files.
Does snapshot.d.o peak inside .dsc and .changes files? Does it use
sha1 for "by-hash" like content addressing? My understanding was that
"by-hash" lookups use sha256 only (at least launchpad's implementation
had code for sha1 but it never was in production proper)
--
okurrr,
Dimitri
On Wed, 29 Nov 2023 at 00:05, Holger Levsen <hol...@layer-acht.org> wrote:
>
> hi,
>
> snapshot.d.o also uses sha1 sums, at least internally, but I'd not
> surprised if also for external verification.
only, not the InReleases Packages etc files.
Does snapshot.d.o peak inside .dsc and .changes files? Does it use
sha1 for "by-hash" like content addressing? My understanding was that
"by-hash" lookups use sha256 only (at least launchpad's implementation
had code for sha1 but it never was in production proper)
--
okurrr,
Dimitri
Guillem Jover
Nov 28, 2023, 10:40:03 PM11/28/23
to
Hi!
On Tue, 2023-11-28 at 14:57:10 -0800, Russ Allbery wrote:
> Dimitri John Ledkov <dimitri...@canonical.com> writes:
> > Dak currently requires Checksums-Sha1, but I am happy to facilitate in
> > patching dak to make Checksums-Sha1 optional if this bug report is
> > accepted.
>
> The field is documented as mandatory precisely because DAK requires it,
> which makes it mandatory for Debian packages. As soon as DAK doesn't
> require it, I'm happy to make it optional (and indeed it would arguably be
> a bug in Policy if it's optional in the archive but Policy claims it's
> mandatory).
I'd like to drop those from .changes and .dsc (among other things),
but demoting these which are currently marked as required to me implies
a major format version bump. And I don't recall ever demoting required
fields, only promoting fields from optional to required.
For .changes, I've got this among other cleanups that would be nice to
do to the format:
https://wiki.debian.org/Teams/Dpkg/Spec/ChangesFormat2.0
but there did not seem to be much enthusiasm when I proposed this some
time ago:
https://lists.debian.org/debian-devel/2016/04/msg00326.html
For .dsc, there's the problem that, very confusingly the Format is used
not for the file format, but for the source format, which I think was
a mistake at the time, but here we are, see the .dsc section at:
https://wiki.debian.org/Teams/Dpkg/TimeTravelFixes
Thanks,
Guillem
On Tue, 2023-11-28 at 14:57:10 -0800, Russ Allbery wrote:
> Dimitri John Ledkov <dimitri...@canonical.com> writes:
> > Dak currently requires Checksums-Sha1, but I am happy to facilitate in
> > patching dak to make Checksums-Sha1 optional if this bug report is
> > accepted.
>
> The field is documented as mandatory precisely because DAK requires it,
> which makes it mandatory for Debian packages. As soon as DAK doesn't
> require it, I'm happy to make it optional (and indeed it would arguably be
> a bug in Policy if it's optional in the archive but Policy claims it's
> mandatory).
but demoting these which are currently marked as required to me implies
a major format version bump. And I don't recall ever demoting required
fields, only promoting fields from optional to required.
For .changes, I've got this among other cleanups that would be nice to
do to the format:
https://wiki.debian.org/Teams/Dpkg/Spec/ChangesFormat2.0
but there did not seem to be much enthusiasm when I proposed this some
time ago:
https://lists.debian.org/debian-devel/2016/04/msg00326.html
For .dsc, there's the problem that, very confusingly the Format is used
not for the file format, but for the source format, which I think was
a mistake at the time, but here we are, see the .dsc section at:
https://wiki.debian.org/Teams/Dpkg/TimeTravelFixes
Thanks,
Guillem
0 new messages