[ptxdist] Replace MD5 with SHA256 hashes all at once

[ptxdist] Replace MD5 with SHA256 hashes all at once

[Clemens Gruber]

Hi Bruno, Hi Michael,

what do you think about a script to replace all existing MD5 hashes with SHA256
instead of replacing all of them individually?

Regards,
Clemens

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] Replace MD5 with SHA256 hashes all at once

[Bruno Thomsen]

> what do you think about a script to replace all existing MD5 hashes with SHA256 instead of replacing all of them individually?

Okay, so you want to create a script that take all rules; download the source; sha256sum; modify rule.

Sounds like a good idea, but then I would prefer that 2-3 ppl run the script, just to make sure different proxies are used.

/Bruno

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] Replace MD5 with SHA256 hashes all at once

[Michael Olbrich]

On Tue, Jul 21, 2015 at 05:26:20AM +0000, Bruno Thomsen wrote:
> > what do you think about a script to replace all existing MD5 hashes with SHA256 instead of replacing all of them individually?
> 
> Okay, so you want to create a script that take all rules; download the source; sha256sum; modify rule.

Enable all Packages (and ALLYES) in a BSP and then run 'ptxdist get' to
download them all.
And the first step must be to support checking md5 or sha256, whichever is
available. We still need md5 so we don't break BSPs with local packages
during the transition.

> Sounds like a good idea, but then I would prefer that 2-3 ppl run the
> script, just to make sure different proxies are used.

While this is a nice idea, this only works for the existing packages. I
can't do the same for new packages or new versions of existing packages.

So far the checksum has only been a protection against broken archives or
stupid upstream. It is not a security feature. If we change that, then we
need a way to verify, that the initial checksums are correct. I don't know
how I can do that for new packages.

Michael

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

-- 
ptxdist mailing list
ptxdist@pengutronix.de

Re: [ptxdist] Replace MD5 with SHA256 hashes all at once

[Bruno Thomsen]

Hi Michael,

> Enable all Packages (and ALLYES) in a BSP and then run 'ptxdist get' to download them all.
> And the first step must be to support checking md5 or sha256, whichever is available. We still need md5 so we don't break BSPs with local packages during the transition.
>
> > Sounds like a good idea, but then I would prefer that 2-3 ppl run the 
> > script, just to make sure different proxies are used.
>
> While this is a nice idea, this only works for the existing packages. I can't do the same for new packages or new versions of existing packages.

I don't expect we do this for new packages, only on exiting due to the sheer number of packages.

> So far the checksum has only been a protection against broken archives or stupid upstream. It is not a security feature. If we change that, then we need a way to verify, that the initial checksums are correct. I don't know how I can do that for new packages.

Ideally all upstream packages should include a SHA256 hash when they are releasing new versions.
Unfortunate we can't change the whole world in day :)
So continue with the current way of manual download and hash, but also include audit information about download URL (in case of mirrors) and date of download.

Suggested actions:
1) include SHA256 hash in rules
2) include audit info in commit message (hash source + date)
3) push upstream packages to include SHA256
4) prefer HTTPS/FTPS as source URL in rules


/Bruno

-- 
ptxdist mailing list
ptxdist@pengutronix.de