Project

Profile

Help

Story #8246

closed

Task #7960: FIPS and support for ALLOWED_CONTENT_CHECKSUMS

As a user, I do not have md5 and sha1 in ALLOWED_CONTENT_CHECKSUMS by default

Added by bmbouter almost 4 years ago. Updated over 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
Normal
Assignee:
Category:
-
Sprint/Milestone:
Start date:
Due date:
% Done:

100%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Sprint:
Sprint 90
Quarter:

Description

Current State

Currently the ALLOWED_CONTENT_CHECKSUMS contains ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"] in the settings file.

Also the CI adjusts this default to remove MD5 from this list, and there are tests which expect that MD5 to be disincluded.

Removing MD5 and SHA1

We want to make Pulp secure by default. MD5 is known to be insecure, and therefore it is unsafe for Pulp to allow its use for calculating package integrity by default. SHA-1 is widely believed to be insecure, or will be soon, and should not be allowed by default for the same reason.

Future State

  • MD5 and SHA1 will no longer be in ALLOWED_CONTENT_CHECKSUMS by default.
  • The CI will no longer set this setting as it is not required.
Actions #1

Updated by bmbouter almost 4 years ago

  • Status changed from NEW to ASSIGNED
  • Assignee set to bmbouter
Actions #2

Updated by bmbouter almost 4 years ago

  • Description updated (diff)
Actions #3

Updated by pulpbot almost 4 years ago

  • Status changed from ASSIGNED to POST

Added by bmbouter almost 4 years ago

Revision e5346955 | View on GitHub

Removes md5 and sha1 from checksum defaults

The md5 and sha1 checksums are not considered secure and therefore should not be included as available hashers for Pulp to perform Artifact integrity checks with.

This PR:

  • Removes them from the default in settings
  • Updates the ALLOWED_CONTENT_CHECKSUMS settings documentation.
  • Re-applies the plugin_tepmlate to no longer modify the set of allowed checksums in the CI environment.

closes #8246

Actions #4

Updated by bmbouter almost 4 years ago

  • Status changed from POST to MODIFIED
  • % Done changed from 0 to 100
Actions #5

Updated by daviddavis almost 4 years ago

  • Sprint set to Sprint 90
Actions #6

Updated by ipanova@redhat.com over 3 years ago

  • Sprint/Milestone set to 3.11.0
Actions #7

Updated by ipanova@redhat.com over 3 years ago

  • Status changed from MODIFIED to CLOSED - CURRENTRELEASE

Also available in: Atom PDF