[gentoo-dev] Notification about MD5 support

[gentoo-dev] Notification about MD5 support

[Marius Mauch]

Ferringb recently told me that this info apparently wasn't
mentioned explicit enough in Glep 44:

Manifest2 records do not contain a MD5 checksum. The only guaranteed
checksum type there is SHA1. So once manifest1 is phased out the tree
will not contain MD5 checksums anymore.

This is just a reminder, not a request for discussion (unless you
have a *really* good reason why MD5 is still needed)

Marius
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Notification about MD5 support

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 365 bytes --]

On Thursday 21 September 2006 09:34, Marius Mauch wrote:
> Manifest2 records do not contain a MD5 checksum. The only guaranteed
> checksum type there is SHA1. So once manifest1 is phased out the tree
> will not contain MD5 checksums anymore.

by "guaranteed" do you mean "guaranteed to be in the records" ?  SHA1 has 
proven to be "insecure" like MD5
-mike

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Notification about MD5 support

[Brian Harring]

[-- Attachment #1: Type: text/plain, Size: 756 bytes --]

On Thu, Sep 21, 2006 at 09:49:18AM -0400, Mike Frysinger wrote:
> On Thursday 21 September 2006 09:34, Marius Mauch wrote:
> > Manifest2 records do not contain a MD5 checksum. The only guaranteed
> > checksum type there is SHA1. So once manifest1 is phased out the tree
> > will not contain MD5 checksums anymore.
> 
> by "guaranteed" do you mean "guaranteed to be in the records" ?  SHA1 has 
> proven to be "insecure" like MD5

Guranteed to be in the chksum data; iow, when manifest2 is switched 
over to fully all manifest1/digest data becomes effectively invisible 
to portage and is filtered out on commits.

So... what's guranteed in manifest2 now is just sha1.  In reality, it 
holds size/sha1/sha256/rmd160 per file entry.
~harring

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Notification about MD5 support

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 1038 bytes --]

On Thursday 21 September 2006 10:00, Brian Harring wrote:
> On Thu, Sep 21, 2006 at 09:49:18AM -0400, Mike Frysinger wrote:
> > On Thursday 21 September 2006 09:34, Marius Mauch wrote:
> > > Manifest2 records do not contain a MD5 checksum. The only guaranteed
> > > checksum type there is SHA1. So once manifest1 is phased out the tree
> > > will not contain MD5 checksums anymore.
> >
> > by "guaranteed" do you mean "guaranteed to be in the records" ?  SHA1 has
> > proven to be "insecure" like MD5
>
> Guranteed to be in the chksum data; iow, when manifest2 is switched
> over to fully all manifest1/digest data becomes effectively invisible
> to portage and is filtered out on commits.
>
> So... what's guranteed in manifest2 now is just sha1.  In reality, it
> holds size/sha1/sha256/rmd160 per file entry.

ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're 
going to be leaving an insecure format, we might as well keep the one that is 
a virtual standard in and of itself (MD5)
-mike

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Notification about MD5 support

[Vlastimil Babka]

Mike Frysinger wrote:
> ok, but it just seems silly to go cutting MD5 but leaving SHA1 ... if we're 
> going to be leaving an insecure format, we might as well keep the one that is 
> a virtual standard in and of itself (MD5)
> -mike

GLEP 44 says:
<snip>
For compability though we have to rely on at least one hash function to 
always be present, this proposal suggest to use SHA1 for this purpose 
(as it is supposed to be more secure than MD5 and currently only SHA1 
and MD5 are directly available in python, also MD5 doesn't have any 
benefit in terms of compability).
</snip>

Although the "more secure than MD5" part is now questionable, I suppose 
the "directly available in python" part still holds? One point of the 
GLEP is to make tree smaller, so why keep more insecure formats when the 
room they would occupy can be used for more secure formats like 
sha256/512, although those can't be deemed the mandatory ones because 
they're not directly in python.
So if both MD5 and SHA1 are now insecure but one of them needs to be the 
mandatory one, the question is, is it still harder to crack SHA1 than 
MD5? If yes, then just forget MD5.

-- 
Vlastimil Babka (Caster)
Gentoo/Java
-- 
gentoo-dev@gentoo.org mailing list

Re: [gentoo-dev] Notification about MD5 support

[Mike Frysinger]

[-- Attachment #1: Type: text/plain, Size: 90 bytes --]

On Thursday 21 September 2006 10:49, Vlastimil Babka wrote:
> GLEP 44 says:

touche
-mike

[-- Attachment #2: Type: application/pgp-signature, Size: 827 bytes --]

Re: [gentoo-dev] Notification about MD5 support

[Hanno Böck]

[-- Attachment #1: Type: text/plain, Size: 1270 bytes --]

Am Donnerstag, 21. September 2006 16:49 schrieb Vlastimil Babka:
> Although the "more secure than MD5" part is now questionable, I suppose
> the "directly available in python" part still holds?

From "What's new in python 2.5"

13.3 The hashlib package 
 A new hashlib module, written by Gregory P. Smith, has been added to replace 
the md5 and sha modules. hashlib adds support for additional secure hashes 
(SHA-224, SHA-256, SHA-384, and SHA-512). When available, the module uses 
OpenSSL for fast platform optimized implementations of algorithms. 
 The old md5 and sha modules still exist as wrappers around hashlib to 
preserve backwards compatibility. The new module's interface is very close to 
that of the old modules, but not identical. The most significant difference 
is that the constructor functions for creating new hashing objects are named 
differently.


I think sha256/512 is the only thing that makes sense at the moment, as it 
most probably will stay secure for quite a while and we don't have real 
alternatives. So imho use sha256, get rid of everything else, because that 
rarely improves security, and wait for the nist to define something new 
(which will happen, but probably take some years from now).

cu,

Hanno

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Notification about MD5 support

[Chris White]

[-- Attachment #1: Type: text/plain, Size: 1185 bytes --]

On Thursday 21 September 2006 08:54, Hanno Böck wrote:
> I think sha256/512 is the only thing that makes sense at the moment, as it
> most probably will stay secure for quite a while and we don't have real
> alternatives. So imho use sha256, get rid of everything else, because that
> rarely improves security, and wait for the nist to define something new
> (which will happen, but probably take some years from now).

Well, the problem that occurs here is the verification process.  With MD5, you 
can hit most upstream sites, and they'll have an MD5SUM avaliable that you 
can authenticate against.  With SHA256, you would need an upstream that 
actually implements them as hashes for release notifications.  Without this 
sort of verification, there's a better chance of someone putting out some 
kind of exploit tarball, us hashing it as per the usual, and the whole 
purpose gets defeated.  Yes, you can consider that developers should be going 
in and checking the changes, etc., but the problem it's something a lot of 
devs would be less likely to do versus an easy md5sum lookup.

-- 
Chris White
Gentoo Developer aka:
xxxxxx (Scissors Were Here) xxxxxx

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [gentoo-dev] Notification about MD5 support

[Vlastimil Babka]

Chris White wrote:
> Well, the problem that occurs here is the verification process.  With MD5, you 
> can hit most upstream sites, and they'll have an MD5SUM avaliable that you 
> can authenticate against.

Well if you care enough to verify this, you can easily create an md5sum 
of the fetched distfile yourself, and compare that with upstream :)
Of course, if you want to verify digests of random packages without 
wanting to actually download and use them, then you would miss MD5 in 
the manifest, but how likely is that?

-- 
Vlastimil Babka (Caster)
Gentoo/Java
-- 
gentoo-dev@gentoo.org mailing list