[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 'Checksum' property is potentially problematic
From: |
Lorenzo L. Ancora |
Subject: |
Re: 'Checksum' property is potentially problematic |
Date: |
Sun, 17 Jan 2021 14:20:46 +0000 |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0 |
Hi Sebastian,
allow me to assist you.
> Firstly, I believe that the help bubble on the form is rather
> misleading:
>> Checksum of this free software release. Please use "sum" from the GNU
>> coreutils. Used during security checks.
> ...all the entries that have this property contain one of two types of
> cryptographic hashes, SHA-256 or the now-broken MD5 function.
> Admittedly, GNU coreutils contains programs to perform both of these
> hash functions, but the checksum produced by the GNU 'sum' command is so
> weak as to be useless for security checking.
Checksums, as their name says ("check-sums"), are not hash functions
digests and as such are not meant to be collision-free, their only
purpose is to ensure file integrity and to help distinguish files in a
certain repository.
The checksum field can be useful when it is not possible to obtain a
permalink to a specific release and the download page of a software is
cluttered with download links. During security checks it is used to
identify a specific version of a specific package among many others and,
if necessary, to ensure its integrity and then search on the web for a
sane tarball.
> I had assumed that this was a field to contain a checksum for the
> package's release of the version listed in the 'Version identifier'
> field, but it is actually configured to contain an HTTP URL to a
> checksum file.
The occasional presence of a checksum instead of a link to a checksum
poses no issue, because the field is not meant to be used by bots or
scripts and, even in such case, trying to resolve a checksum would
simply produce a common NXDOMAIN DNS error.
> Secondly, if the checksum is supposed to refer to the specific package
> version (it appears below the download link in the normal page view),
> then I think this ought to be clear in the form as well: 'Version
> checksum' rather than 'Checksum'.
Different versions will always have different checksums; the same is
true for different releases of the same version.
For this reason the checksum does not refer to a version, but to a file:
a release may also be published in different compressed formats, but the
checksum refers to the format that has been tested.
> These questions, however, make me wonder about the utility of such a
> field on the Directory. If the cryptographic hash is to be used for
> verifying the origin of the package (rather than just the integrity of
> the download), then the Free Software Directory must be completely
> trusted. This is because entries have direct download URLs - if a
> malicious actor could modify the download link to a similar-looking but
> dangerous address, then that same attacker would have no trouble in
> leading users down a false sense of security by changing the checksum as
> well. I imagine the same applies to the 'OpenPGP public key URL' field.
> Should the Free Software Directory really take on the burden of being a
> 'trust-broker' for packages as well as a mere catalogue?
The Directory has a manual approval system for this reason as well. :-)
Only admins can make page versions visible.
The Directory guarantees that certain software is free but does not host
any software and therefore does not guarantee its reliability, integrity
or security, which are always the responsibility of the host by law.
This is normal and has been the case since the Internet was born:
whoever creates or hosts software takes responsibility for it.
> And finally, this property is not terribly popular[1]... Only 0.2% of
> entries have it!
The use of this property is optional. As the above cases are a minority,
this is normal.
Best regards,
Lorenzo
PS: don't worry, in future we will provide better documentation, to
prevents misunderstandings. ;-)
Il 13/01/21 17:56, Sebastian ha scritto:
> Dear all,
>
> In my efforts to add as much useful data to entries as possible, I
> inevitably came to the 'Checksum' property - it turns out this is not
> what I thought it was, and raises some interesting questions.
>
> I had assumed that this was a field to contain a checksum for the
> package's release of the version listed in the 'Version identifier'
> field, but it is actually configured to contain an HTTP URL to a
> checksum file.
>
> Firstly, I believe that the help bubble on the form is rather
> misleading:
>
>> Checksum of this free software release. Please use "sum" from the GNU
>> coreutils. Used during security checks.
>
> ...all the entries that have this property contain one of two types of
> cryptographic hashes, SHA-256 or the now-broken MD5 function.
> Admittedly, GNU coreutils contains programs to perform both of these
> hash functions, but the checksum produced by the GNU 'sum' command is so
> weak as to be useless for security checking.
>
> Secondly, if the checksum is supposed to refer to the specific package
> version (it appears below the download link in the normal page view),
> then I think this ought to be clear in the form as well: 'Version
> checksum' rather than 'Checksum'.
>
> These questions, however, make me wonder about the utility of such a
> field on the Directory. If the cryptographic hash is to be used for
> verifying the origin of the package (rather than just the integrity of
> the download), then the Free Software Directory must be completely
> trusted. This is because entries have direct download URLs - if a
> malicious actor could modify the download link to a similar-looking but
> dangerous address, then that same attacker would have no trouble in
> leading users down a false sense of security by changing the checksum as
> well. I imagine the same applies to the 'OpenPGP public key URL' field.
> Should the Free Software Directory really take on the burden of being a
> 'trust-broker' for packages as well as a mere catalogue?
>
> And finally, this property is not terribly popular[1]... Only 0.2% of
> entries have it!
>
> Best wishes,
>
> Sebastian
>
> --
> - Freenode: 'seabass'
> - Matrix: '@seabass:chat.weho.st'
> - FSD: 'Freefish'
>
--
All messages from/to this account should be considered private.
Messages from/to newsletters should not be reshared.
TZ: Europe/Rome (Italy - CEST).
signature.asc
Description: OpenPGP digital signature