Archive garbage-collection relies on MD5 checksums
Bug #2038345 reported by
Dimitri John Ledkov
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Launchpad itself |
Fix Released
|
High
|
Colin Watson | ||
Bug Description
archivepublisher improvements
I was looking to remove md5 usage in launchpad archivepublisher.
I have noticed that md5 sum is possibly being used to decide whether to remove files or not.
I'm not sure if that is harmless or security sensitive.
Nowadays with accelerated sha256 widely available there are no reasons to use md5 hash here.
Hence proposing to replace md5 usage in canRemove() with sha256.
I have shared access to private (just in case) repository with this patch to launchpad & canonical-security teams at:
Or git clone lp:~xnox/launchpad/+git/launchpad-private -b deathrow-patch
| tags: | added: patch |
Revision history for this message
| Colin Watson (cjwatson) wrote | #1 |
Revision history for this message
| Colin Watson (cjwatson) wrote | #2 |
| summary: |
- archivepublisher improvements + Archive garbage-collection relies on MD5 checksums |
| Changed in launchpad: | |
| assignee: | nobody → Colin Watson (cjwatson) |
| importance: | Undecided → High |
| status: | New → Fix Released |
| information type: | Private Security → Public Security |
To post a comment you must log in.
Can you please make a merge proposal? We don't normally review isolated commits, since that means we can't use our normal commenting tools.