I marked it "wontfix" because it seems to most accurately reflect the
state of things; the Ubuntu security team does not have resources to
propose these kinds of changes for dpkg, and considering the threat
model that debsums/dpkg's file md5sums are designed to address, it's
easy to see why no one
But if they have it still in their long list things to do, shouldn't it
stay in that list rather than be kicked off it? Also, has this been
requested upstream? Because maybe they simply don't know about the
request and that's why they haven't done any work towards it?
--
You received this bug
There is nothing wrong with making the request. But it seems the dpkg
developers have not chosen to make it a priority; the most recent work
was from six years ago. This is reasonable because the checksums are
not intended as a security mechanism. So “Won’t Fix” is an accurate
description of
I don't see an issue with users requesting debsums to support SHA-256 as
well as MD5. Also, why are you marking the issue in dpkg as "Won't Fix"?
it is an important thing to be fixed in dpkg, they shouldn't still be
using MD5.
--
You received this bug notification because you are a member of
When I commented on this earlier to say it really does need looking
into, I was actually meaning the issue in dpkg, not debsums, that's up
to the developer of that to fix if they want to. And users should be
free to make such requests.
--
You received this bug notification because you are a
Marking Ubuntu GNOME as Invalid as that's just far too broad.
Marking debsums and dpkg as Wontfix because debsums is not intended to
be a security tool:
debsums is intended primarily as a way of determining what
installed files have been locally modified by the
administrator
** Changed in: ubuntu-gnome
Status: Confirmed => Invalid
** Changed in: debsums (Ubuntu)
Status: Confirmed => Won't Fix
** Changed in: dpkg (Ubuntu)
Status: Confirmed => Won't Fix
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Something really does need to be done about this.
** Tags added: precise
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
MD5 is insecure, add modern hashing
To manage notifications
** Changed in: debsums (Ubuntu)
Importance: Undecided => High
** Changed in: dpkg (Ubuntu)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
MD5 is
** Tags added: trusty vivid wily xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
MD5 is insecure, add modern hashing
To manage notifications about this bug go to:
I edited the SHAs listed in the report because the ones listed there
were just as vulnerable now mostly as MD5.
** Description changed:
MD5 is insecure due to hash collisions.
- Add more modern and reliable hashing algorithms such as SHA-1, SHA-2 or
- SHA-3.
+ Add more modern and reliable
No. apt uses the archive’s SHA-256 hashes to verify packages when they
are initially downloaded, but debsums is for re-checking the installed
files after installation, and the only currently available per-file
hashes are MD5.
See https://wiki.debian.org/Sha256sumsInPackages for some prior work in
APT does provide the SHA256SUM for packages as can be seen by using
"apt-cache policy" to view information on a package. So can't debsums
get the information this way?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: dpkg (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
MD5 is insecure, add modern hashing
To manage notifications about this bug
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: debsums (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
This can’t be fixed in debsums because dpkg only exposes an MD5
database. Although this isn’t ideal, there’s no cause for immediate
alarm; debsums only needs resistance against second preimage attacks.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Oh, then this should be fixed in dpkg too.
** Also affects: dpkg (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
MD5 is insecure,
By the way, apt already has a related bug:
https://bugs.launchpad.net/bugs/1098738
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1100295
Title:
MD5 is insecure, add modern hashing
To manage
18 matches
Mail list logo