subject: Removing MD5 and SHA-1 as default available checksums in 3.11 tl;dr With pulpcore 3.11, the plan is to remove MD5 and SHA-1 from the list of default available checksums. RPM and Migration plugin users will need to add this back in at 3.11 upgrade time for your systems to continue working. Please give on-list feedback on this change. ## Background Pulp has the ALLOWED_CONTENT_CHECKSUMS setting which, by default, currently includes md5, sha-1, sha-224, sha-256, sha-384, and sha-512. Pulp code is restricted to only using hashers from this list. This feature gives admins the ability to prohibit hashers they do not trust. Pulp uses these checksums for package integrity verification purposes when syncing and publishing content. ## Motivation We need to make Pulp secure by default. MD5 is known to be insecure, and therefore it is unsafe for Pulp to allow its use for calculating package integrity by default. SHA-1 is widely believed to be insecure, or will be soon, and should not be allowed by default for the same reason. ## Proposal Pulpcore 3.11 would remove md5 and sha-1 from the default list of allowed checksums, leaving sha-224..sha-512. Specifically this change is occuring in the `ALLOWED_CONTENT_CHECKSUMS` setting [0]. This is only a change to the default settings; any specific system can be configured as desired. Nothing is "being taken away". ## Required User Action with 3.11 We believe believe both RPM plugin users and Migration plugin users will be impacted by this and mostly from the SHA-1 removal. SHA-1 is still used on a variety of CDNs including Red Hat's. Also as data is migrated from Pulp2 systems, this also likely uses SHA-1 and MD5 as the migration plugin runs. If users are using the defaults for `ALLOWED_CONTENT_CHECKSUMS` and want to continue using SHA-1, they will need to update `ALLOWED_CONTENT_CHECKSUMS` in their settings file. Alternatively, users will need to run `pulpcore-manager handle-artifact-checksums` after upgrade to update any existing artifacts after upgrading. ## Why not automate this? We do not take manual user action at upgrade time lightly. However, this is a security change, and we believe we need each Pulp system to opt-in for themselves. [0]: https://docs.pulpproject.org/pulpcore/settings.html#allowed-content-checksums Thanks! The Pulpcore Team ################################ MISC NOTES * What have we missed in evaluating this decision? * [ttereshc] Migration plugin is somewhat affected * currently there is no special handling of ALLOWED_CONTENT_CHECKSUMS and it is assumed that all are allowed * to be fair, even now if user prohibits md5 or sha1, we have a problem - migration will likely fail * If we disallow any checksums by default, users will run into migration issues almost all the time if they do not reconfigure ALLOWED_CONTENT_CHECKSUMS * can be solved by clear documentation - extra steps for users * not sure how to assess which user experience is better or worse ###### tags: `FIPS`