[jira] [Work logged] (BEAM-4524) We should not be using md5 to validate artifact integrity.

Mon, 08 Oct 2018 01:49:05 -0700 


     [ 
https://issues.apache.org/jira/browse/BEAM-4524?focusedWorklogId=152165&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-152165
 ]

ASF GitHub Bot logged work on BEAM-4524:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Oct/18 08:48
            Start Date: 08/Oct/18 08:48
    Worklog Time Spent: 10m 
      Work Description: robertwb commented on issue #6583: [BEAM-4524] Use 
sha256 instead of insecure md5 for artifact checksums.
URL: https://github.com/apache/beam/pull/6583#issuecomment-427760963
 
 
   MD5 is broken, and the Apache foundation has explicitly asked us to move
   away from it (for release signing at the very least). More importantly, if
   we ever support caching/sharing of pipeline artifacts, this becomes a
   security risk.
   
   
   On Sat, Oct 6, 2018 at 12:46 AM Henning Rohde <[email protected]>
   wrote:
   
   > MD5 is a checksum used by GCS, Azure storage and others. It's convenient
   > that they match. The checksum is not used for security decisions. Is there
   > a JIRA describing the rationale for changing it?
   >
   > —
   > You are receiving this because you authored the thread.
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/beam/pull/6583#issuecomment-427518236>, or mute
   > the thread
   > 
<https://github.com/notifications/unsubscribe-auth/AAdqgUCdcUDsr_XH0FP1QK-JrKiRNheWks5uh-E2gaJpZM4XKfXS>
   > .
   >
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

            Worklog Id:     (was: 152165)
            Time Spent: 10m
    Remaining Estimate: 0h

> We should not be using md5 to validate artifact integrity.
> ----------------------------------------------------------
>
>                 Key: BEAM-4524
>                 URL: https://issues.apache.org/jira/browse/BEAM-4524
>             Project: Beam
>          Issue Type: Task
>          Components: beam-model
>            Reporter: Robert Bradshaw
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> https://github.com/apache/beam/blob/6f239498e676f471427e17abc4bc5cffba9887c5/model/job-management/src/main/proto/beam_artifact_api.proto#L63
> Something like sha256 would probably be sufficient. 
> https://en.wikipedia.org/wiki/MD5#Overview_of_security_issues



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to