Project

Profile

Help

Story #8246

Updated by bmbouter 7 months ago

## Current State

Currently the [`ALLOWED_CONTENT_CHECKSUMS`](https://docs.pulpproject.org/pulpcore/settings.html#allowed-content-checksums) contains `["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]` in [the settings file](https://github.com/pulp/pulpcore/blob/master/pulpcore/app/settings.py#L257).

Also the [CI CI adjusts this default to remove MD5](https://github.com/pulp/pulpcore/blob/cedcbe7a349d997d8dfbf2e9e9cdea200f50f91f/.github/workflows/scripts/install.sh#L64) MD5 from this list, and there are tests which expect that MD5 to be disincluded.

## Removing MD5 and SHA1

We want to make Pulp secure by default. MD5 is known to be insecure, and therefore it is unsafe for Pulp to allow its use for calculating package integrity by default. SHA-1 is widely believed to be insecure, or will be soon, and should not be allowed by default for the same reason.

## Future State

* MD5 and SHA1 will no longer be in ALLOWED_CONTENT_CHECKSUMS by default.
* The CI will no longer set this setting as it is not required.

Back