directory-discuss
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

'Checksum' property is potentially problematic

From: Sebastian
Subject: 'Checksum' property is potentially problematic
Date: Wed, 13 Jan 2021 17:56:09 +0000 
Dear all,

In my efforts to add as much useful data to entries as possible, I
inevitably came to the 'Checksum' property - it turns out this is not
what I thought it was, and raises some interesting questions.

I had assumed that this was a field to contain a checksum for the
package's release of the version listed in the 'Version identifier'
field, but it is actually configured to contain an HTTP URL to a
checksum file.

Firstly, I believe that the help bubble on the form is rather
misleading:

> Checksum of this free software release. Please use "sum" from the GNU
> coreutils. Used during security checks.

...all the entries that have this property contain one of two types of
cryptographic hashes, SHA-256 or the now-broken MD5 function.
Admittedly, GNU coreutils contains programs to perform both of these
hash functions, but the checksum produced by the GNU 'sum' command is so
weak as to be useless for security checking.

Secondly, if the checksum is supposed to refer to the specific package
version (it appears below the download link in the normal page view),
then I think this ought to be clear in the form as well: 'Version
checksum' rather than 'Checksum'.

These questions, however, make me wonder about the utility of such a
field on the Directory. If the cryptographic hash is to be used for
verifying the origin of the package (rather than just the integrity of
the download), then the Free Software Directory must be completely
trusted. This is because entries have direct download URLs - if a
malicious actor could modify the download link to a similar-looking but
dangerous address, then that same attacker would have no trouble in
leading users down a false sense of security by changing the checksum as
well. I imagine the same applies to the 'OpenPGP public key URL' field.
Should the Free Software Directory really take on the burden of being a
'trust-broker' for packages as well as a mere catalogue?

And finally, this property is not terribly popular[1]... Only 0.2% of
entries have it!

Best wishes,

Sebastian

--
- Freenode: 'seabass'
- Matrix: '@seabass:chat.weho.st'
- FSD: 'Freefish'
reply via email to
[Prev in Thread] Current Thread [Next in Thread]