[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 'Checksum' property is potentially problematic
From: |
Donald Robertson |
Subject: |
Re: 'Checksum' property is potentially problematic |
Date: |
Fri, 15 Jan 2021 09:28:42 -0500 |
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 |
On 1/13/21 12:56 PM, Sebastian wrote:
> Dear all,
>
> In my efforts to add as much useful data to entries as possible, I
> inevitably came to the 'Checksum' property - it turns out this is not
> what I thought it was, and raises some interesting questions.
>
> I had assumed that this was a field to contain a checksum for the
> package's release of the version listed in the 'Version identifier'
> field, but it is actually configured to contain an HTTP URL to a
> checksum file.
>
> Firstly, I believe that the help bubble on the form is rather
> misleading:
>
>> Checksum of this free software release. Please use "sum" from the GNU
>> coreutils. Used during security checks.
>
> ...all the entries that have this property contain one of two types of
> cryptographic hashes, SHA-256 or the now-broken MD5 function.
> Admittedly, GNU coreutils contains programs to perform both of these
> hash functions, but the checksum produced by the GNU 'sum' command is so
> weak as to be useless for security checking.
>
> Secondly, if the checksum is supposed to refer to the specific package
> version (it appears below the download link in the normal page view),
> then I think this ought to be clear in the form as well: 'Version
> checksum' rather than 'Checksum'.
>
> These questions, however, make me wonder about the utility of such a
> field on the Directory. If the cryptographic hash is to be used for
> verifying the origin of the package (rather than just the integrity of
> the download), then the Free Software Directory must be completely
> trusted. This is because entries have direct download URLs - if a
> malicious actor could modify the download link to a similar-looking but
> dangerous address, then that same attacker would have no trouble in
> leading users down a false sense of security by changing the checksum as
> well. I imagine the same applies to the 'OpenPGP public key URL' field.
> Should the Free Software Directory really take on the burden of being a
> 'trust-broker' for packages as well as a mere catalogue?
>
> And finally, this property is not terribly popular[1]... Only 0.2% of
> entries have it!
>
We are planning to move things around a bit in terms of the fields,
because fields like this aren't really required to have a useful entry.
When the form was originally created, I think Josh just wanted to get as
much coverage as possible for the types of information that people could
fill in. Having everything as fields would make the Directory more
useful for machines to scrape and use the data. But it means that the
form right now has way too many fields, which can be discouraging for
people just starting out.
The plan wasn't to remove any fields, but rather to move most of them
away from the main page of the form, so that users know what the high
impact fields are and focus on those. As you point out, people generally
have skipped many of these other fields.
As for the checksum field I'm not actually sure what it's supposed to be
exactly; I've never actually filled it in. I can ask Josh what it was
supposed to do, and then we can compare it with how the few entries that
have it are using it, and determine what to do with it.
--
Donald R. Robertson, III, J.D.
Licensing & Compliance Manager
Free Software Foundation
51 Franklin Street, Fifth Floor
Boston, MA 02110
Phone +1-617-542-5942
Fax +1-617-542-2652 ex. 56