--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apt: use all hashsums availble in secure APT
- From: Christoph Anton Mitterer <calestyo@scientia.net>
- Date: Tue, 27 Mar 2012 03:34:08 +0200
- Message-id: <20120327013408.16077.73289.reportbug@heisenberg.scientia.net>
Package: apt
Version: 0.8.15.10
Severity: important
Tags: security
Hi.
I hope this isn't a duplicate (with ~900 bugs, I may have overseen one ;-) ).
APT uses hash sum verifications in many places (hopefully all).
The files in /var/lib/apt/lists/ provide different kinds of hashsums (MD5, SHA*)
in all "kinds" of files, Release, Packages and Sources.
I made some simple tests, modifying these sums and doing actions.
It seems that for different actions (I tried with apt-get "download" and "source"),
different hashsums are looked at.
E.g. for one of them it was "just" MD5, which is known to be quite weak now.
May I suggest to do the following:
Validate ALL available, and if only one of them fails, consider the verification
to be failed.
The above should be the default.
Now for some people, verifying all of them might be to slow, so it could be nice
to add a configuration option that lets users specify which (one to many) they
PREFER(!) be calculated/verified.
Again, the default should be that ALL must verify successfully (as it should never
happen that this is not the case).
That way people could specify "just the stronges" (e.g. SHA512) or just the weakest
(e.g. MD5).
If the specified algorithm was not available at all, it should fall back to the
default and verify all available.
If no hashsums were available at all, this should of course be considered a
failure, too.
Cheers,
Chris.
--- End Message ---
--- Begin Message ---
- To: 423902-done@bugs.debian.org
- Subject: Re: Bug#423902: apt should use both md5 and sha1
- From: Julian Andres Klode <jak@debian.org>
- Date: Thu, 4 Feb 2016 00:17:18 +0100
- Message-id: <20160204001528.GA9363@debian.org>
- In-reply-to: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
- References: <fe4da5070705141320i27935cf9qc20b84ef26ead30e@mail.gmail.com>
On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote:
> Package: apt
> Version: 0.6.46.4
> Severity: wishlist
>
>
> Collisions for md5 and sha1 were found allready,
> so it's likely, that in the nearer future one of them alone won't be
> safe enough.
>
> Since it is harder to find collisions for two checksums than for one,
> apt should use both of them at the same time for verifying packages.
We now check all available checksums (AFAIK) and better ones, so I am
closing this.
We have not marked SHA1 as unsecure yet, so this requires your repo
to provide better than SHA1 signatures.
Note that gpg also happily accepts or accepted this until recently.
--
Julian Andres Klode - Debian Developer, Ubuntu Member
See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.
When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.
--- End Message ---