click packages supply only DEBIAN/md5sums, but should also supply stronger hashes
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| click (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
click packages provide DEBIAN/md5sums. When the package is signed, this is fine to guard against the package being modified without the developer knowing because altering files within the package results in the signature failing to verify.
However, a malicious developer is able to upload a signed package with altered files. We can verify the md5sums automatically to make sure they are in sync, but because MD5 is vulnerable to hash collisions, we can't be 100% sure the files didn't change. This isn't a problem with click or the appstore in and of itself at this time because I don't think DEBIAN/md5sums is being used for change detection, but if we start to rely on the sums in DEBIAN/md5sums for change detection between click package uploads, then we will need to use a stronger hashing algorithm.
Related branches
- PS Jenkins bot (community): Needs Fixing (continuous-integration)
- click hackers: Pending requested
-
Diff: 53 lines (+21/-11)2 files modifiedclick/build.py (+15/-11)
click/tests/test_build.py (+6/-0)
- click hackers: Pending requested
- Diff: 0 lines
| tags: | added: appstore |
| Changed in click (Ubuntu): | |
| importance: | Undecided → Medium |
| Changed in click (Ubuntu): | |
| status: | New → Triaged |
