Re: dpkg MD5

To: David Campbell <dcampbell24@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: dpkg MD5
From: Simon Josefsson <simon@josefsson.org>
Date: Fri, 08 Nov 2024 09:35:17 +0100
Message-id: <[🔎] 87y11uced6.fsf@kaka.sjd.se>
In-reply-to: <[🔎] 6297351c-27d0-4b88-b769-87fd29757458@gmail.com> (David Campbell's message of "Thu, 7 Nov 2024 16:45:54 -0500")
References: <[🔎] 6297351c-27d0-4b88-b769-87fd29757458@gmail.com>

David Campbell <dcampbell24@gmail.com> writes:

> To whom it may concern,
>
> dpkg currently uses MD5 to verify packages, but MD5 is considered
> insecure, why not switch to SHA256 (and also update lintian)?
>
> Also, to make verifying packages more useful, why not get a checksum
> from a more trusted source, like a main Debian package repository to 
> compare with what is generated from a package from a mirror?
>
> Are there any other ways to make check summing packages more useful?
> Does dpkg or apt currently check packages checksums if you don't pass 
> dpkg --verify? Can the check summing ever cause a failure?
>
> Please, include my email address in the CC if you respond to this
> message. I am not subscribed to the mailing list.

There is another dimension to removing MD5 support in dpkg.  While MD5
is broken from a cryptographic perspective, I believe hash checksums in
dpkg serves two purposes: 1) integrity checking for accidental
corruption, and 2) integrity checking for intentional (malicious)
corruption.

MD5 no longer protects against 2) but it works fine for 1).  So why
care?  SHA256 is a better choice that protect both 1) and 2), so why not
remove MD5 and migrate to SHA256?

The problem is that then people who want to check for 1) corruption will
have to implement support for both MD5 and SHA256 to achieve this goal.
Over time, this becomes complicated and parametrized to support, but
offers no additional functionality for them.

It would have been nicer if the 1) and 2) features were provided by
different headers, for example a Hash-Checksum: and a Hash-Crypto:
header, and then we could have non-cryptographic checksum in
Hash-Checksum: and use the same algorithm forever, and for the
Hash-Crypto: header we could use the latest strong crypto algorithm.
But we don't have that.

So I think it makes some sense to keep supporting MD5 for
backwards-compatibility for integrity checking, while ALSO support the
latest strong cryptographic checksum.  The latter can be migrated
consistent with latest crypto research without worrying about backwards
compatibility.

Compare how packages.debian.org also uses MD5 --
https://packages.debian.org/source/unstable/libntlm -- which I think is
reasonable, but it should definitely ALSO publish a SHA256 checksum.

Maybe this should be written down somewhere to avoid future questions
about it, if indeed this is the consensus.

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- dpkg MD5
  - From: David Campbell <dcampbell24@gmail.com>

Prev by Date: Re: dpkg MD5
Next by Date: Re: dpkg MD5
Previous by thread: Re: dpkg MD5
Next by thread: I Joined This List
Index(es):
- Date
- Thread