[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 'Checksum' property is potentially problematic
|
From: |
Joël Krähemann |
|
Subject: |
Re: 'Checksum' property is potentially problematic |
|
Date: |
Thu, 14 Jan 2021 06:26:47 +0000 |
Hi all,
Didn't know that we have got a checksum field at all ... :-/
I provide for my packages GPG Signatures since on Savannah:
https://download.savannah.gnu.org/releases/gsequencer/
Actually started to sign since 2016-12-08
https://sourceforge.net/projects/ags/
Can I use it with this field?
regards,
Joël
Am Mi., 13. Jan. 2021 um 17:56 Uhr schrieb Sebastian <seabass_fsd@gmx.co.uk>:
>
> Dear all,
>
> In my efforts to add as much useful data to entries as possible, I
> inevitably came to the 'Checksum' property - it turns out this is not
> what I thought it was, and raises some interesting questions.
>
> I had assumed that this was a field to contain a checksum for the
> package's release of the version listed in the 'Version identifier'
> field, but it is actually configured to contain an HTTP URL to a
> checksum file.
>
> Firstly, I believe that the help bubble on the form is rather
> misleading:
>
> > Checksum of this free software release. Please use "sum" from the GNU
> > coreutils. Used during security checks.
>
> ...all the entries that have this property contain one of two types of
> cryptographic hashes, SHA-256 or the now-broken MD5 function.
> Admittedly, GNU coreutils contains programs to perform both of these
> hash functions, but the checksum produced by the GNU 'sum' command is so
> weak as to be useless for security checking.
>
> Secondly, if the checksum is supposed to refer to the specific package
> version (it appears below the download link in the normal page view),
> then I think this ought to be clear in the form as well: 'Version
> checksum' rather than 'Checksum'.
>
> These questions, however, make me wonder about the utility of such a
> field on the Directory. If the cryptographic hash is to be used for
> verifying the origin of the package (rather than just the integrity of
> the download), then the Free Software Directory must be completely
> trusted. This is because entries have direct download URLs - if a
> malicious actor could modify the download link to a similar-looking but
> dangerous address, then that same attacker would have no trouble in
> leading users down a false sense of security by changing the checksum as
> well. I imagine the same applies to the 'OpenPGP public key URL' field.
> Should the Free Software Directory really take on the burden of being a
> 'trust-broker' for packages as well as a mere catalogue?
>
> And finally, this property is not terribly popular[1]... Only 0.2% of
> entries have it!
>
> Best wishes,
>
> Sebastian
>
> --
> - Freenode: 'seabass'
> - Matrix: '@seabass:chat.weho.st'
> - FSD: 'Freefish'
>