Project

Profile

Help

Story #5216

Updated by bmbouter about 4 years ago

## Background 

 Some users would like may not care to disallow the use of certain or store some checksums now determined to be insecure, e.g. like md5 or sha1. It is desirable to allow and sha1 which have known vulnerabilities. Allow users to configure which checksum types they want to use with Pulp. 

 ## When does Pulp call checksums? 

 When computing the Artifacts themselves a variety of checksums Note that some checksum types are [computed here](https://github.com/pulp/pulpcore/blob/5c77622365eb1e9b03f835dca5a4f536b1382cd6/pulpcore/app/models/content.py#L220-L230) and then stored on [the Artifact model's checksum fields](https://github.com/pulp/pulpcore/blob/5c77622365eb1e9b03f835dca5a4f536b1382cd6/pulpcore/app/models/content.py#L135-L140). 

 ## Feature plan 

 Introduce a new setting called `CONTENT_CHECKSUMS` which would identify the set() of CHECKSUMS that Pulp should be using. Here's an example of the default: 

 `CONTENT_CHECKSUMS = set("md5", "sha1", “sha224”, “sha256”, “sha384”, “sha512”)` 

 In this case, all checksums would be computed and stored required as they do today. are used to uniquely identify artifacts. See: https://github.com/pulp/pulpcore/blob/46e526cd155a244685989e3851f7e01a0493f3d4/pulpcore/app/models/content.py#L110-L112 

 If a user configured Also, this with: 

 `CONTENT_CHECKSUMS = set("sha1", “sha224”, “sha256”, “sha384”, “sha512”)` 

 Then all checksums would functionality will be computed and used except reused to support FIPS mode which doesn't allow md5. 

 If a user configured this with: 

 `CONTENT_CHECKSUMS = set(“sha224”, “sha256”, “sha384”, “sha512”)` 

 Then all checksums would be computed and used except md5 and sha1. 

Back