* [ptxdist] Replace MD5 with SHA256 hashes all at once
@ 2015-07-19 12:44 Clemens Gruber
2015-07-21 5:26 ` Bruno Thomsen
0 siblings, 1 reply; 4+ messages in thread
From: Clemens Gruber @ 2015-07-19 12:44 UTC (permalink / raw)
To: ptxdist; +Cc: Michael Olbrich, Bruno Thomsen
Hi Bruno, Hi Michael,
what do you think about a script to replace all existing MD5 hashes with SHA256
instead of replacing all of them individually?
Regards,
Clemens
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] Replace MD5 with SHA256 hashes all at once
2015-07-19 12:44 [ptxdist] Replace MD5 with SHA256 hashes all at once Clemens Gruber
@ 2015-07-21 5:26 ` Bruno Thomsen
2015-07-21 10:16 ` Michael Olbrich
0 siblings, 1 reply; 4+ messages in thread
From: Bruno Thomsen @ 2015-07-21 5:26 UTC (permalink / raw)
To: Clemens Gruber; +Cc: Michael Olbrich, ptxdist
> what do you think about a script to replace all existing MD5 hashes with SHA256 instead of replacing all of them individually?
Okay, so you want to create a script that take all rules; download the source; sha256sum; modify rule.
Sounds like a good idea, but then I would prefer that 2-3 ppl run the script, just to make sure different proxies are used.
/Bruno
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] Replace MD5 with SHA256 hashes all at once
2015-07-21 5:26 ` Bruno Thomsen
@ 2015-07-21 10:16 ` Michael Olbrich
2015-08-03 8:06 ` Bruno Thomsen
0 siblings, 1 reply; 4+ messages in thread
From: Michael Olbrich @ 2015-07-21 10:16 UTC (permalink / raw)
To: ptxdist
On Tue, Jul 21, 2015 at 05:26:20AM +0000, Bruno Thomsen wrote:
> > what do you think about a script to replace all existing MD5 hashes with SHA256 instead of replacing all of them individually?
>
> Okay, so you want to create a script that take all rules; download the source; sha256sum; modify rule.
Enable all Packages (and ALLYES) in a BSP and then run 'ptxdist get' to
download them all.
And the first step must be to support checking md5 or sha256, whichever is
available. We still need md5 so we don't break BSPs with local packages
during the transition.
> Sounds like a good idea, but then I would prefer that 2-3 ppl run the
> script, just to make sure different proxies are used.
While this is a nice idea, this only works for the existing packages. I
can't do the same for new packages or new versions of existing packages.
So far the checksum has only been a protection against broken archives or
stupid upstream. It is not a security feature. If we change that, then we
need a way to verify, that the initial checksums are correct. I don't know
how I can do that for new packages.
Michael
--
Pengutronix e.K. | |
Industrial Linux Solutions | http://www.pengutronix.de/ |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [ptxdist] Replace MD5 with SHA256 hashes all at once
2015-07-21 10:16 ` Michael Olbrich
@ 2015-08-03 8:06 ` Bruno Thomsen
0 siblings, 0 replies; 4+ messages in thread
From: Bruno Thomsen @ 2015-08-03 8:06 UTC (permalink / raw)
To: ptxdist
Hi Michael,
> Enable all Packages (and ALLYES) in a BSP and then run 'ptxdist get' to download them all.
> And the first step must be to support checking md5 or sha256, whichever is available. We still need md5 so we don't break BSPs with local packages during the transition.
>
> > Sounds like a good idea, but then I would prefer that 2-3 ppl run the
> > script, just to make sure different proxies are used.
>
> While this is a nice idea, this only works for the existing packages. I can't do the same for new packages or new versions of existing packages.
I don't expect we do this for new packages, only on exiting due to the sheer number of packages.
> So far the checksum has only been a protection against broken archives or stupid upstream. It is not a security feature. If we change that, then we need a way to verify, that the initial checksums are correct. I don't know how I can do that for new packages.
Ideally all upstream packages should include a SHA256 hash when they are releasing new versions.
Unfortunate we can't change the whole world in day :)
So continue with the current way of manual download and hash, but also include audit information about download URL (in case of mirrors) and date of download.
Suggested actions:
1) include SHA256 hash in rules
2) include audit info in commit message (hash source + date)
3) push upstream packages to include SHA256
4) prefer HTTPS/FTPS as source URL in rules
/Bruno
--
ptxdist mailing list
ptxdist@pengutronix.de
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-08-03 6:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-07-19 12:44 [ptxdist] Replace MD5 with SHA256 hashes all at once Clemens Gruber
2015-07-21 5:26 ` Bruno Thomsen
2015-07-21 10:16 ` Michael Olbrich
2015-08-03 8:06 ` Bruno Thomsen
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox