[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#665921: marked as done (apt: use all hashsums availble in secure APT)

Your message dated Thu, 4 Feb 2016 00:17:18 +0100
with message-id <20160204001528.GA9363@debian.org>
and subject line Re: Bug#423902: apt should use both md5 and sha1
has caused the Debian Bug report #423902,
regarding apt: use all hashsums availble in secure APT
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
423902: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=423902
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: apt
Version: 0.8.15.10
Severity: important
Tags: security


Hi.

I hope this isn't a duplicate (with ~900 bugs, I may have overseen one ;-) ).


APT uses hash sum verifications in many places (hopefully all).

The files in /var/lib/apt/lists/ provide different kinds of hashsums (MD5, SHA*)
in all "kinds" of files, Release, Packages and Sources.

I made some simple tests, modifying these sums and doing actions.

It seems that for different actions (I tried with apt-get "download" and "source"),
different hashsums are looked at.
E.g. for one of them it was "just" MD5, which is known to be quite weak now.


May I suggest to do the following:
Validate ALL available, and if only one of them fails, consider the verification
to be failed.

The above should be the default.


Now for some people, verifying all of them might be to slow, so it could be nice
to add a configuration option that lets users specify which (one to many) they
PREFER(!) be calculated/verified.
Again, the default should be that ALL must verify successfully (as it should never
happen that this is not the case).

That way people could specify "just the stronges" (e.g. SHA512) or just the weakest
(e.g. MD5).

If the specified algorithm was not available at all, it should fall back to the
default and verify all available.
If no hashsums were available at all, this should of course be considered a
failure, too.


Cheers,
Chris.

--- End Message ---
--- Begin Message --- 
On Mon, May 14, 2007 at 10:20:18PM +0200, Thomas Geyer wrote:
> Package: apt
> Version: 0.6.46.4
> Severity: wishlist
> 
> 
> Collisions for md5 and sha1 were found allready,
> so it's likely, that in the nearer future one of them alone won't be
> safe enough.
> 
> Since it is harder to find collisions for two checksums than for one,
> apt should use both of them at the same time for verifying packages.

We now check all available checksums (AFAIK) and better ones, so I am
closing this.

We have not marked SHA1 as unsecure yet, so this requires your repo
to provide better than SHA1 signatures.

Note that gpg also happily accepts or accepted this until recently.

-- 
Julian Andres Klode  - Debian Developer, Ubuntu Member

See http://wiki.debian.org/JulianAndresKlode and http://jak-linux.org/.

When replying, only quote what is necessary, and write each reply
directly below the part(s) it pertains to (`inline'). Thank you.

--- End Message ---
Reply to: