[Bug 1214485] Re: click packages supply only DEBIAN/md5sums, but should also supply stronger hashes
Daniel Holbach
daniel.holbach at ubuntu.com
Wed Aug 21 07:40:04 UTC 2013
** Tags added: appstore
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to click in Ubuntu.
https://bugs.launchpad.net/bugs/1214485
Title:
click packages supply only DEBIAN/md5sums, but should also supply
stronger hashes
Status in “click” package in Ubuntu:
New
Bug description:
click packages provide DEBIAN/md5sums. When the package is signed,
this is fine to guard against the package being modified without the
developer knowing because altering files within the package results in
the signature failing to verify.
However, a malicious developer is able to upload a signed package with
altered files. We can verify the md5sums automatically to make sure
they are in sync, but because MD5 is vulnerable to hash collisions, we
can't be 100% sure the files didn't change. This isn't a problem with
click or the appstore in and of itself at this time because I don't
think DEBIAN/md5sums is being used for change detection, but if we
start to rely on the sums in DEBIAN/md5sums for change detection
between click package uploads, then we will need to use a stronger
hashing algorithm.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/click/+bug/1214485/+subscriptions
More information about the foundations-bugs
mailing list