Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is it time to deprecate md5? #802

Closed
copumpkin opened this issue Feb 15, 2016 · 15 comments
Closed

Is it time to deprecate md5? #802

copumpkin opened this issue Feb 15, 2016 · 15 comments
Assignees
@peti

Comments

@copumpkin
Copy link
Member

It's terrible hash function under any assumption of malicious actors. It would be nice in an upcoming Nix release to print out a warning that a fixed-output derivation is using md5 and instruct people to move to something more sensible. Then perhaps in a couple of releases we could break it altogether except after someone opts in.

SHA1 isn't great, but isn't as bad. It would be nice to set some precedent on what to do about that, too.
@copumpkin copumpkin mentioned this issue Feb 15, 2016
Closed
5 tasks
@edolstra
Copy link
Member

👍

@domenkozar
Copy link
Member

👍 for deprecation (and noting in what version the support will be removed).

@copumpkin
Copy link
Member Author

I'm not one for release schedules, but perhaps add it as a warning to 1.12, make it an error that can be overridden with e.g., --allow-insecure-md5 in 1.13, and make it unoverridable in 1.14. The error message in 1.14 onwards would tell you what to do instead and will stay for foreseeable future, so it won't just say something unfriendly like "unknown hash: md5".

@vcunat
Copy link
Member

vcunat commented Feb 15, 2016

We should start by phasing md5 out in nixpkgs. After that is done, we can remove support in nix but I don't think that part is really important as it's a kind of opt-in.

@copumpkin
Copy link
Member Author

It seemed easier to start from Nix since there are a dozen fixed-output
derivation functions that could each warn. Perhaps we can jump in at the
stdenv/generic.nix level, now that I think about it?
On Mon, Feb 15, 2016 at 12:54 Vladimír Čunát [email protected]
wrote:

We should start by phasing md5 out in nixpkgs. After that is done, we
can remove support in nix but I don't think that part is really important
as it's a kind of opt-in.


Reply to this email directly or view it on GitHub
#802 (comment).

@vcunat
Copy link
Member

vcunat commented Feb 15, 2016

I see, changing nix is probably the easiest way to produce warnings in all these cases.

@davidak
Copy link
Member

davidak commented Feb 15, 2016

👍

@vcunat some people use private packages.

@ivan
Copy link
Member

ivan commented Aug 30, 2016
edited
Loading

chromium/update.nix appears to use an md5 collision to achieve something.

@andsild andsild mentioned this issue Sep 3, 2016
Merged
7 tasks
@copumpkin
Copy link
Member Author

@edolstra would you support adding an annoying warning message for md5 for the next release or two, and then removing support for it after that?

@edolstra
Copy link
Member

For backward compatibility, it would be better to deprecate/remove it in Nixpkgs. Otherwise we would lose the ability to build packages from old Nixpkgs versions.

@copumpkin copumpkin mentioned this issue Jan 19, 2017
Closed
@shlevy shlevy added the backlog label Apr 1, 2018
@FRidh
Copy link
Member

FRidh commented Nov 4, 2018

md5 support was removed in NixOS 17.03 so we're 4 releases without by now.

pull bot pushed a commit to evanjs/nixpkgs that referenced this issue Mar 31, 2019
@aszlig
chromium/updater: Fix usage of insecure MD5 hashes
ed8f3b5 
The title of NixOS/nix#802 says it all:

    Is it time to deprecate md5?

Of course it is - we shouldn't use MD5 for our beautiful updater, but
switch to SHA1 instead. It's the future!

       .    .          .       .           .
  .              .        .          .               .
    .    .           .           .        .-.   .         .     .
           -------     ______             | `\                .
.   ______   .            '   ``-..-.-,.-.`.  `----._______
           .  -------   .   . `.`.-=,'='-===| SHA1  \______`--._
 --------------      ---   .  ..-.-.-=-.-===|   ____________.--"
               ---------  . . .- .,==-'`-'-./  /__----'^  `^  `^  `^
   ____   -----     --  ____   ' . _____   \______[=>  =>  =>  =>
         .                   .       .                .
   .          .     .     .              .        .          .

Signed-off-by: aszlig <[email protected]>
@domenkozar
Copy link
Member

It would still make sense to deprecate md5 in Nix itself?

@edolstra
Copy link
Member

No, we need to keep it for backward compatibility. We don't want to lose the ability to build old Nix expressions.

@domenkozar
Copy link
Member

I wasn't clear enough. I'd only add a warning when md5 is used like so:

filename:line:col: md5 fixed-output derivations are deprecated

@vcunat
Copy link
Member

vcunat commented Nov 29, 2019

I suppose we're finally ready for that: NixOS/nixpkgs@46cf3a51269 ;-)

zolodev pushed a commit to zolodev/nix that referenced this issue Jan 1, 2024
@infinisil @fricklerhandwerk @roberth
File sets tutorial (NixOS#802)
614b6fe 
* source file selection tutorial

Co-authored-by: Valentin Gagarin <[email protected]>
Co-authored-by: Robert Hensing <[email protected]>
@tomfitzhenry tomfitzhenry mentioned this issue Jun 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peti peti

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
9 participants
@copumpkin @ivan @peti @davidak @domenkozar @shlevy @edolstra @vcunat @FRidh