tl;dr With pulpcore 3.11, the plan is to remove MD5 and SHA-1 from the list of default available checksums. RPM and Migration plugin users will need to add this back in at 3.11 upgrade time for your systems to continue working. Please give on-list feedback on this change.
## Background Pulp has the ALLOWED_CONTENT_CHECKSUMS setting [0] which, by default, currently includes md5, sha-1, sha-224, sha-256, sha-384, and sha-512. Pulp code is restricted to only using hashers from this list. This feature gives admins the ability to prohibit hashers they do not trust. Pulp uses these checksums for package integrity verification purposes when syncing and publishing content. ## Motivation We need to make Pulp secure by default. MD5 is known to be insecure, and therefore it is unsafe for Pulp to allow its use for calculating package integrity by default. SHA-1 is widely believed to be insecure, or will be soon, and should not be allowed by default for the same reason. ## Proposal Pulpcore 3.11 would remove md5 and sha-1 from the default list of allowed checksums, leaving sha-224..sha-512. Specifically this change is occuring in the `ALLOWED_CONTENT_CHECKSUMS` setting [0]. This is only a change to the default settings; any specific system can be configured as desired. Nothing is "being taken away". ## Required User Action with 3.11 We believe both RPM plugin users and Migration plugin users will be impacted by this and mostly from the SHA-1 removal. SHA-1 is still used on a variety of CDNs including Red Hat's. Also as data is migrated from Pulp2 systems, this also likely uses SHA-1 and MD5 as the migration plugin runs. If users are using the defaults for `ALLOWED_CONTENT_CHECKSUMS` and want to continue using SHA-1, they will need to update `ALLOWED_CONTENT_CHECKSUMS` in their settings file. Alternatively, users will need to run `pulpcore-manager handle-artifact-checksums` after upgrade to update any existing artifacts after upgrading. ## Why not automate this? We do not take manual user action at upgrade time lightly. However, this is a security change, and we believe we need each Pulp system to opt-in for themselves. [0]: https://docs.pulpproject.org/pulpcore/settings.html#allowed-content-checksums Thanks! The Pulpcore Team
_______________________________________________ Pulp-dev mailing list Pulp-dev@redhat.com https://www.redhat.com/mailman/listinfo/pulp-dev