-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is it time to deprecate md5? #802
Comments
👍 |
👍 for deprecation (and noting in what version the support will be removed). |
I'm not one for release schedules, but perhaps add it as a warning to 1.12, make it an error that can be overridden with e.g., |
We should start by phasing md5 out in nixpkgs. After that is done, we can remove support in nix but I don't think that part is really important as it's a kind of opt-in. |
It seemed easier to start from Nix since there are a dozen fixed-output
|
I see, changing nix is probably the easiest way to produce warnings in all these cases. |
👍 @vcunat some people use private packages. |
chromium/update.nix appears to use an md5 collision to achieve something. |
@edolstra would you support adding an annoying warning message for md5 for the next release or two, and then removing support for it after that? |
For backward compatibility, it would be better to deprecate/remove it in Nixpkgs. Otherwise we would lose the ability to build packages from old Nixpkgs versions. |
md5 support was removed in NixOS 17.03 so we're 4 releases without by now. |
The title of NixOS/nix#802 says it all: Is it time to deprecate md5? Of course it is - we shouldn't use MD5 for our beautiful updater, but switch to SHA1 instead. It's the future! . . . . . . . . . . . . . . .-. . . . ------- ______ | `\ . . ______ . ' ``-..-.-,.-.`. `----._______ . ------- . . `.`.-=,'='-===| SHA1 \______`--._ -------------- --- . ..-.-.-=-.-===| ____________.--" --------- . . .- .,==-'`-'-./ /__----'^ `^ `^ `^ ____ ----- -- ____ ' . _____ \______[=> => => => . . . . . . . . . . . Signed-off-by: aszlig <[email protected]>
It would still make sense to deprecate md5 in Nix itself? |
No, we need to keep it for backward compatibility. We don't want to lose the ability to build old Nix expressions. |
I wasn't clear enough. I'd only add a warning when md5 is used like so:
|
I suppose we're finally ready for that: NixOS/nixpkgs@46cf3a51269 ;-) |
* source file selection tutorial Co-authored-by: Valentin Gagarin <[email protected]> Co-authored-by: Robert Hensing <[email protected]>
It's terrible hash function under any assumption of malicious actors. It would be nice in an upcoming Nix release to print out a warning that a fixed-output derivation is using md5 and instruct people to move to something more sensible. Then perhaps in a couple of releases we could break it altogether except after someone opts in.
SHA1 isn't great, but isn't as bad. It would be nice to set some precedent on what to do about that, too.
The text was updated successfully, but these errors were encountered: