pulp_rpm icon indicating copy to clipboard operation
pulp_rpm copied to clipboard
verified publisher icon pulp

[v4] Refuse weak checksums for on-demand sync

Open dralley opened this issue 8 months ago • 2 comments

Is your feature request related to a problem? Please describe.

md5 and sha1 are thoroughly broken at this point - we should rely on stronger checksums. We potentially run some conflict risks with on-demand packages.

Describe the solution you'd like

Start rejecting on-demand syncs if files depend on md5 or sha1 checksums - but perhaps allow this to be turned back off with a setting.

This is distinct from ALLOWED_CONTENT_CHECKSUMS because that will not allow even immediate syncs using those checksums as verification. In this case we want to allow immediate syncs, but disallow on-demand ones.

dralley avatar Jun 25 '25 23:06 dralley

I'll strongly reinforce "allow to go back to current behavior with a setting" - if that's in place, I'm good with this.

ggainey avatar Jun 26 '25 15:06 ggainey

+1 on a way to re-enable sha1, since Oracle still uses it :'(

laundry-96 avatar Oct 14 '25 22:10 laundry-96