opam
opam copied to clipboard
coq
Checksum enforcement, banning MD5?
Since MD5 is known to not be collision resistant, and has been described as "cryptographically broken and unsuitable for further use", I think it's time we actively phase out MD5 for archive checksums. Most directly, we should refuse to merge new packages with any form of MD5 checksum.
I propose that we recommend SHA512 checksums, since they are faster to check on 64-bit processors, while being cryptographically at least as strong as SHA256 checksums. However, I think we should still allow SHA256 checksums.
You seem to imply that the checksum field was meant for cryptography use in Opam. As far as I know, the field is only there to ensure the integrity of the download (e.g., truncated file), not to guarantee that the downloaded file was not modified by an attacker. So, I don't mind recommending SHA512, but using its cryptographic strength as a rationale is quite misleading, in my opinion.
Based on my understanding of https://github.com/ocaml/opam/issues/3320 and https://opam.ocaml.org/blog/Signing-the-opam-repository/), MD5 should indeed be deprecated.
Note that opam2 supports other hashes, so we're well on the way towards deprecation of md5 completely.
Now, that's not enough — but instead of trusting everybody on the Internet, you only have to trust the maintainers/authors of the opam repo in question, and GitHub; attacks remain possible but much less likely.
I guess it is up to the opam lint utility to complain, and to the opam admin one to let us update all pks in one go. When they decide to really deprecate, we can just follow their lead.
I still think we should try to be ahead of the opam lint deprecation, i.e., actively suggest changes to submitted packages to use SHA512 (preferred) or SHA256.