Bug#849377: debsums: Replace MD5 with a more secure algorithm
Axel Beckert
abe at debian.org
Mon Dec 26 17:59:48 UTC 2016
Control: tag -1 + confirmed
Control: severity -1 important
Control: block -1 by 540215
Control: retitle -1 debsums: Replace MD5 with a more secure algorithm, e.g. SHA256
Hi,
Javier Serrano Polo wrote:
> It would be nice if debsums worked with an algorithm more secure than
> MD5.
Yes, but before that, there need to be packages which support that.
See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=540215#55
where this has been stated in the past. I fully agree with Ryan (the
previous maintainer of debsums).
> This issue is tracked at
> https://wiki.debian.org/Sha256sumsInPackages , but it does not seem
> to be any progress.
Indeed, there it says "dpkg: √ sha256sums file is saved in
/var/lib/dpkg/info/", but on an uptodate Debian Sid I see not a single
file with "ls -l /var/lib/dpkg/info/*.sha*sum*".
> While waiting for a proper solution, could you add this
> text to the package description?
>
> "MD5 is considered weak nowadays. Do not rely on debsums to detect
> malicious changes."
>
> This concern is because it is easy to craft programs with the same MD5
> hash that follow different execution paths.
With that argument, dpkg would need the same addition for its "dpkg
--verify". So I'd rather implement SHA256 checking if there would be a
package I could test that with.
So
Regards, Axel
--
,''`. | Axel Beckert <abe at debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
More information about the pkg-perl-maintainers
mailing list