1. Forum
  2. Usenet
  3. LINUX.DEBIAN.DEVEL.CD

  • Upgrade the embedded checksum from MD5 to SHA256?

    From Roland Clobus@21:1/5 to All on Sun Dec 15 11:50:01 2024
    This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------9cJTLY9lpk489vgv00yLYHkB
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

    SGVsbG8gbGlzdCwNCg0KSW4gdGhlIERlYmlhbi1pbnN0YWxsZXIgbWFpbiBtZW51IHRoZSBl bnRyeSAnQ2hlY2sgdGhlIGludGVncml0eSBvZiANCmluc3RhbGxhdGlvbiBtZWRpYScgdmVy aWZpZXMgd2hldGhlciB0aGUgY3VycmVudGx5IGJvb3RlZCBpbWFnZSBpcyANCnVudGFtcGVy ZWQgKHBhY2thZ2U9Y2Ryb20tY2hlY2tlcikuDQoNCkl0IHJlYWRzIHRoZSBmaWxlICdtZDVz dW0udHh0JyBhbmQgdmVyaWZpZXMgYWxsIGZpbGVzIGxpc3RlZCB0aGVyZSBbMV0uDQpJbiBs aXZlLWJ1aWxkIHdlIHByb3ZpZGUgc2hhMjU2c3VtLnR4dCBzaW5jZSAyMDIwLTAzLTE4LCBz aW5jZSBNRDUgDQpjaGVja3N1bXMgYXJlIGtub3duIHRvIGJlIGluc2VjdXJlLg0KDQpUaGVy ZSBhcmUgZ29vZCBpbnN0cnVjdGlvbnMgb24gdGhlIGRvd25sb2FkIHBhZ2VzIFsyXSB0aGF0 IGhlbHAgd2l0aCANCnZlcmlmaWNhdGlvbiBvZiB0aGUgZG93bmxvYWRlZCBJU08gZmlsZSB1 c2luZyBzaGEyNTYgYW5kIHNoYTUxMiwgYnV0IHRoZSANCnZlcmlmaWNhdGlvbiBvbiBhIGJv b3RlZCBtZWRpdW0gdXNlcyBvbmx5IG1kNS4NCg0KQ291bGQvU2hvdWxkIHRoZSBjaGVja3N1 bSBmaWxlIGJlIHVwZ3JhZGUgdG8gdXNlIHNoYTI1NiBpbnN0ZWFkIG9mIG1kNT8gDQpJIGNv dWxkIHByb3ZpZGUgYSBNUiBpZiBkZXNpcmVkLg0KDQpUaGUgY29zdDogMzIgYWRkaXRpb25h bCBieXRlcyBwZXIgZmlsZS4gKFdpdGggY3VycmVudGx5IGFib3V0IDEyMDAgZmlsZXMgDQp0 aGF0IHdvdWxkIGJlIDM4S2lCKQ0KDQpXaXRoIGtpbmQgcmVnYXJkcywNClJvbGFuZCBDbG9i dXMNCg0KWzFdIGh0dHBzOi8vc291cmNlcy5kZWJpYW4ub3JnL3NyYy9jZHJvbS1jaGVja2Vy LzEuNjUvbWFpbi5jLyNMMTE1DQpbMl0gaHR0cHM6Ly9nZXQuZGViaWFuLm9yZy9pbWFnZXMv d2Vla2x5LWxpdmUtYnVpbGRzL2FtZDY0L2lzby1oeWJyaWQvDQoNCg==

    --------------9cJTLY9lpk489vgv00yLYHkB--

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEUFVLM5Bdj7GSJEb+YsV8aqYUlb0FAmdes3gACgkQYsV8aqYU lb3n4g/+PdsmAfqH/aS3VeIWrY9A10bS767Qr7+lZXOlw/pDXka6ApYDfp0PTl3Z jV26fG+cV3VcU2LmN8xbIUpvdU1jTc7F3Ho9zTrmos1krpj/dZD/R8X2IXU8v9Rw oczLjdx+AMIL4jH6L19h9N7czzXZqbPIMXe+mYSVCb0NNmZaP1vcVR+ZWQO8VHG/ p1oFRXwL1Kw4M9iYTeOaX8v5oVnhu1QmwhPpg92VZiP7pGx//61il8OuIv12/GEp xP8apvYY1+m52I6x2htt5elTiWqvuHNimVtrVsEv8nzAAybbGKVnbNnT9LNjQJWz 6/9s5v6raSHbE+5FSp5WNHpiZzIEjvoM66E4HHl+ygUr1Lvx31oFsy1sukCzjAst 0ALvJR0k7zytsc3EzXGeS44WsSbjNr6WkD/BhbgyoB7xUI0xXwYEp0+e4lBarG9n DDi3T5m/GdRspP0JcZe6YdGX6XqizThBeLVAvlINaJcdXLS9r80BvAsjb8p9VtHP 81chhG6qgIYmEEuRZhIrJsZb159IuqWgtS8rc2s+LXkF4aVP9vERCI99GQYV3Kke d+rBDGy9apMcdsZMBmSqZlxoZskepoSOe/yNoRbPpKiMO7T6+VkCx4QSpVjw2Nt8 qxM2TG9VWV+IjuUrNb7Y63tYxP6R3cY7baf4rJ2Mzqo2bbaWSaQ=
    =A88N
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Steve McIntyre@21:1/5 to Roland Clobus on Mon Dec 16 15:30:01 2024
    Hey Roland!

    On Sun, Dec 15, 2024 at 11:46:15AM +0100, Roland Clobus wrote:

    In the Debian-installer main menu the entry 'Check the integrity of >installation media' verifies whether the currently booted image is untampered >(package=cdrom-checker).

    It reads the file 'md5sum.txt' and verifies all files listed there [1].
    In live-build we provide sha256sum.txt since 2020-03-18, since MD5 checksums >are known to be insecure.

    There are good instructions on the download pages [2] that help with >verification of the downloaded ISO file using sha256 and sha512, but the >verification on a booted medium uses only md5.

    That's fine IMHO: at this point, the checksum is for verifying media
    corruption rather than tampering. md5 is fine for that. We tell people
    how to verify an image download using stronger checksum, as that's the
    place that's likely to be attacked.

    Could/Should the checksum file be upgrade to use sha256 instead of md5? I >could provide a MR if desired.

    The cost: 32 additional bytes per file. (With currently about 1200 files that >would be 38KiB)

    I don't think this matters, tbh. Any other opinions?

    --
    Steve McIntyre, Cambridge, UK. [email protected] Who needs computer imagery when you've got Brian Blessed?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Cyril Brulebois@21:1/5 to All on Tue Dec 17 02:40:01 2024
    Steve McIntyre <[email protected]> (2024-12-16):
    That's fine IMHO: at this point, the checksum is for verifying media corruption rather than tampering. md5 is fine for that. We tell people
    how to verify an image download using stronger checksum, as that's the
    place that's likely to be attacked.

    Yes, that's the same kind of benefit we get from having md5sums shipped
    in deb files?

    I don't think this matters, tbh. Any other opinions?

    The status quo looks fine to me, switching does not seem crazy either
    (modulo making sure data shipped vs. code using it get with a suitable
    timing and/or with some fallback code, I didn't look into the details).


    Cheers,
    --
    Cyril Brulebois ([email protected]) <https://debamax.com/>
    D-I release manager -- Release team member -- Freelance Consultant

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEtg6/KYRFPHDXTPR4/5FK8MKzVSAFAmdg1ckACgkQ/5FK8MKz VSA6uw/8DKzeBBujInJqYDHDX6Sm86Lg8KuNkLk9SDEcBDZTkx73/ebRNTL4LeJ0 JNXW5/XWjliVGBV9grU2I3bGgPKoY/a2OBCkBNGGHQ90n/tBvjIskyP14SN5CpPM YRPuzU6xkuqiaPXsxG/c8eIfS4TuNR6jqIMV2UlC+0UVSk5LS2bULJMmYZX3BpX0 XxjTeKzsYvnzI1afn7B7+MKc+BGcoqmqfr1leTLFo4ZTa3cvOPm68H7fni8Uydpx +w6tCaf7QRgNnsrX9RyDFNYXmG/eYnXUIIlzyXp+G9/zRdVKGhMYQj2h0jXZTmM4 5IxeeGkWvtJ73M3dkq/pg5A0hRicS77PIvPb0AMGzWQz+GAHfMUjmIV45eiZjzoc Oht616VQ3Fs9Ak6MJS50AhtzrImQVnBzQaK3Bul0ek4fOl478ply4mBLHkg4FW2e D197MWoCd6ocRZXPQPP0h+tKg6ArgIkF48sbLyZvHJX99R06BuLKSAdVHVxw9DfP dqlgyzh69NAzywTcILRKlLD79o6ZQkpFOJEe1fOQjCLqzCc7lAgK9hXftVBW7Xin 3AbaBb2ebtWneIR6H3SqEv7y8eX1cZv3TEFNB/Vv4Brr6ehxCsGQk+1fjUHrOQgo dX2AMXU53Hfu958fCoazEPhcTIU0PBJ+9ajjSGCAbiyha0EPWR4=
    =knhE
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    *