Launchpad itself

Please remove md5sum and sha1 from the archive metadata

Bug #1883271 reported by Dimitri John Ledkov
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
Triaged
Low
Unassigned

Bug Description

MD5Sum and SHA1 headers are still calculated and published in http://archive.ubuntu.com/ubuntu/dists/groovy/InRelease

these are no longer required, are weak, and bloat the metadata by a lot.

Please remove MD5Sum and SHA1 checksums from repository publishing.

Related branches

~xnox/launchpad:only-sha256
On hold for merging into launchpad:master
Steve Langasek (community): Abstain
Andy Whitcroft: Pending requested
Ubuntu Package Archive Administrators: Pending requested
Canonical Security Team: Pending requested
Julian Andres Klode: Pending requested
Launchpad code reviewers: Pending requested
Diff: 526 lines (+52/-126)
9 files modified
lib/lp/archivepublisher/indices.py (+0/-10)
lib/lp/archivepublisher/model/ftparchive.py (+11/-1)
lib/lp/archivepublisher/publishing.py (+2/-26)
lib/lp/archivepublisher/tests/apt-data/Packages (+0/-3)
lib/lp/archivepublisher/tests/apt-data/Sources (+0/-10)
lib/lp/archivepublisher/tests/test_generate_contents_files.py (+1/-1)
lib/lp/archivepublisher/tests/test_indices.py (+2/-22)
lib/lp/archivepublisher/tests/test_publish_ftpmaster.py (+3/-2)
lib/lp/archivepublisher/tests/test_publisher.py (+33/-51)
Dimitri John Ledkov (xnox)
tags: added: md5sum
information type: Public → Public Security
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

They can be safely removed in bionic and up.

d-i / anna, require MD5SUMs in xenial and down. And we still publish update to debian-installer/* suites.

Thus a blanket approach to remove MD5 & SHA1 can only be taken, once xenial goes end of basic support next year.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

It feels like a schema change might be needed to support this.

I.e. introduce a "publish_md5sha1_hashes" boolean publishing_option on the distroseries, default True.

in the publishing.py filter out md5sha1, if the above publishing_option on the distroseries is false.

then set it to false on bionic and up.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Although I guess it should be like index_compressors, i.e. a list of things to do.

Cause we will be adding/removing hashes going into the future.

Kristian Glass (doismellburning)
Changed in launchpad:
importance: Undecided → High
status: New → Triaged
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Comparing the current groovy unsplit mirror dists/, with the one that has md5&sha1 hashes stripped, and recompressed, the grand total win is 35MB.

I think the fact that we added one more kernel in groovy kills any of this gain, in terms of disk saving.

So "improvement" impact from doing this is surely negligible.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

It feels that "High" should be changed to "Wishlist"

Francis Ginther (fginther)
tags: added: id-5ef3b1a12290ae708350f26f
Colin Watson (cjwatson)
Changed in launchpad:
importance: High → Low
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

This is now causing active pain.

For FIPS certifcation of Ubuntu libraries we had to re-implement and re-add md5 with a usage indicator that it is not certified for use. Which costs us development time, and delays in submitting Ubuntu 22.04 for FIPS certification.

Separately sha1 has been deprecated by NIST and purchasing software that uses sha1 will be prohibited in 2030.

This is sort of already within the lifetime of Jammy.

Please remove MD5 and SHA1 from all currently supported Ubuntu Archive releases, as all of them support better hashes.

tags: added: fips sha1sum
Revision history for this message
Colin Watson (cjwatson) wrote :

It doesn't make any sense for this to block FIPS certification. The mere presence of the metadata doesn't require anything to validate it.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

Correct presence does not matter. Apt however checks everything that is present. And uses libraries in FIPS mode, and crashes if libgnutls30 doesn't implement or refuses to provide MD5.

This hasn't blocked FIPS submission for Jammy, but made it harder to do so. As we had rebuild gnutls, add md5, add custom code to add FIPS indicator that md5 usage taints APT. Add policy documents explaining that MD5 is available but should not be used, blah blah blah.

Waste of time, engineering, Atsec certification, delaying submission of FIPS, etc.

Also every single FIPS sales is confusing, as they keep looking at our policy documents and questioning why we offer MD5, and have it available at runtime and it is excluded, when it would make this more simple for it to not exist at all.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

I don't want to do this ever again, and actually I do want to remove md5 from the distro without anything breaking.

Revision history for this message
William Grant (wgrant) wrote :

It seems extremely ambitious to remove this retroactively from stable series.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.