Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sage-bootstrap (checksums.ini): Use stronger cryptographic hashes #37691

Closed
4 tasks
mkoeppe opened this issue Mar 29, 2024 · 0 comments · Fixed by #37726
Closed
4 tasks

sage-bootstrap (checksums.ini): Use stronger cryptographic hashes #37691

mkoeppe opened this issue Mar 29, 2024 · 0 comments · Fixed by #37726
Labels
c: distribution good first issue p: critical / 2 wishlist item
Milestone
sage-10.4

Comments

@mkoeppe
Copy link
Contributor

mkoeppe commented Mar 29, 2024
edited
Loading

Currently we use

sha1=fa2ae4db119f639a01b02f99f1ba671ece2828eb
md5=0d270c997aff29708c74d53f599ef717
cksum=1153713708

all of which do not provide sufficient protection against collision attacks.
Concurring with the suggestion in https://groups.google.com/g/sage-devel/c/ckJuCIdStVU/m/ONTDxjGnAQAJ, we should switch to sha256.

  • Add methods for sha256, parallel to existing methods for sha1
  • Update method checksum_verifies and emit warning if a package only has a sha1 hash, not a sha256 hash
  • Remove methods for md5, cksum (already marked as outdated in the code)
  • Update checksums.ini files

Files to edit:

  • build/sage_bootstrap/package.py
  • build/sage_bootstrap/tarball.py
  • build/test/test_package_cmdline.py
@faisalfakhro faisalfakhro mentioned this issue Apr 2, 2024
Merged
5 tasks
@mkoeppe mkoeppe added this to the sage-10.4 milestone May 3, 2024
vbraun pushed a commit to vbraun/sage that referenced this issue May 12, 2024
sagemathgh-37726: sage-bootstrap: update cryptographic hashes
da3f21c 
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Update cryptographic hashes to use sha256 instead of sha1 due to
insecurity of sha1.

- Fixes sagemath#37691
- Fixes sagemath#37558, see also
sagemath#36677 (comment)

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [x] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation accordingly.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->

- sagemath#37570
- sagemath#37249
- sagemath#37914
    
URL: sagemath#37726
Reported by: Faisal
Reviewer(s): Matthias Köppe, roed314
vbraun pushed a commit to vbraun/sage that referenced this issue May 15, 2024
sagemathgh-37726: sage-bootstrap: update cryptographic hashes
82be96c 
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Update cryptographic hashes to use sha256 instead of sha1 due to
insecurity of sha1.

- Fixes sagemath#37691
- Fixes sagemath#37558, see also
sagemath#36677 (comment)

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [x] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation accordingly.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->

- sagemath#37570
- sagemath#37249
- sagemath#37914
    
URL: sagemath#37726
Reported by: Faisal
Reviewer(s): Matthias Köppe, roed314
vbraun pushed a commit to vbraun/sage that referenced this issue May 15, 2024
sagemathgh-37726: sage-bootstrap: update cryptographic hashes
9200d9f 
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Update cryptographic hashes to use sha256 instead of sha1 due to
insecurity of sha1.

- Fixes sagemath#37691
- Fixes sagemath#37558, see also
sagemath#36677 (comment)

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [x] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation accordingly.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->

- sagemath#37570
- sagemath#37249
- sagemath#37914
    
URL: sagemath#37726
Reported by: Faisal
Reviewer(s): Matthias Köppe, roed314
vbraun pushed a commit to vbraun/sage that referenced this issue May 18, 2024
sagemathgh-37726: sage-bootstrap: update cryptographic hashes
2b8d959 
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Update cryptographic hashes to use sha256 instead of sha1 due to
insecurity of sha1.

- Fixes sagemath#37691
- Fixes sagemath#37558, see also
sagemath#36677 (comment)

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [x] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation accordingly.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->

- sagemath#37570
- sagemath#37249
- sagemath#37914
    
URL: sagemath#37726
Reported by: Faisal
Reviewer(s): Matthias Köppe, roed314
vbraun pushed a commit to vbraun/sage that referenced this issue May 18, 2024
sagemathgh-37726: sage-bootstrap: update cryptographic hashes
3589d96 
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Update cryptographic hashes to use sha256 instead of sha1 due to
insecurity of sha1.

- Fixes sagemath#37691
- Fixes sagemath#37558, see also
sagemath#36677 (comment)

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [x] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation accordingly.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->

- sagemath#37570
- sagemath#37249
- sagemath#37914
    
URL: sagemath#37726
Reported by: Faisal
Reviewer(s): Matthias Köppe, roed314
vbraun pushed a commit to vbraun/sage that referenced this issue May 18, 2024
sagemathgh-37726: sage-bootstrap: update cryptographic hashes
eb7927d 
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Update cryptographic hashes to use sha256 instead of sha1 due to
insecurity of sha1.

- Fixes sagemath#37691
- Fixes sagemath#37558, see also
sagemath#36677 (comment)

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [x] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation accordingly.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->

- sagemath#37570
- sagemath#37249
- sagemath#37914
    
URL: sagemath#37726
Reported by: Faisal
Reviewer(s): Matthias Köppe, roed314
vbraun pushed a commit to vbraun/sage that referenced this issue May 18, 2024
sagemathgh-37726: sage-bootstrap: update cryptographic hashes
774ecae 
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Update cryptographic hashes to use sha256 instead of sha1 due to
insecurity of sha1.

- Fixes sagemath#37691
- Fixes sagemath#37558, see also
sagemath#36677 (comment)

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [x] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation accordingly.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->

- sagemath#37570
- sagemath#37249
- sagemath#37914
    
URL: sagemath#37726
Reported by: Faisal
Reviewer(s): Matthias Köppe, roed314
vbraun pushed a commit to vbraun/sage that referenced this issue May 24, 2024
sagemathgh-37726: sage-bootstrap: update cryptographic hashes
3ca2d09 
    
<!-- ^ Please provide a concise and informative title. -->
<!-- ^ Don't put issue numbers in the title, do this in the PR
description below. -->
<!-- ^ For example, instead of "Fixes sagemath#12345" use "Introduce new method
to calculate 1 + 2". -->
<!-- v Describe your changes below in detail. -->
<!-- v Why is this change required? What problem does it solve? -->
<!-- v If this PR resolves an open issue, please link to it here. For
example, "Fixes sagemath#12345". -->

Update cryptographic hashes to use sha256 instead of sha1 due to
insecurity of sha1.

- Fixes sagemath#37691
- Fixes sagemath#37558, see also
sagemath#36677 (comment)

### 📝 Checklist

<!-- Put an `x` in all the boxes that apply. -->

- [x] The title is concise and informative.
- [x] The description explains in detail what this PR is about.
- [x] I have linked a relevant issue or discussion.
- [ ] I have created tests covering the changes.
- [ ] I have updated the documentation accordingly.

### ⌛ Dependencies

<!-- List all open PRs that this PR logically depends on. For example,
-->
<!-- - sagemath#12345: short description why this is a dependency -->
<!-- - sagemath#34567: ... -->

- sagemath#37570
- sagemath#37249
- sagemath#37914
    
URL: sagemath#37726
Reported by: Faisal
Reviewer(s): Matthias Köppe, roed314
@vbraun vbraun closed this as completed in c4681e3 May 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
c: distribution good first issue p: critical / 2 wishlist item
Projects
None yet
Milestone
sage-10.4
Development

Successfully merging a pull request may close this issue.

sage-bootstrap: update cryptographic hashes faisalfakhro/sage
1 participant
@mkoeppe