[Touch-packages] [Bug 1858972] Re: python-apt uses MD5 for validation

Fri, 31 Jan 2020 12:06:42 -0800 

** Summary changed:

- placeholder
+ python-apt uses MD5 for validation

** Description changed:

- Placeholder bug.
+ Only MD5 is checked (most versions)
+                                                                               
                                                                               
+ In stable releases, and unstable, they only check MD5 sums of the files they 
download. 1.9.0 was broken as it still refered to the md5 field, but the field 
went away, so it would raise an exception if you tried to use it - so that's 
safe :D
+                                                                               
                                                                               
+ experimental (1.9.1) checks all hash sums, but only if some are present - it 
would happily accept an empty list of hashes - 1.9.2 will fix this issue by 
checking that the list of hashes is "usable", as it's called in apt, completing 
the proper fix.
+                                                                               
                                                                               
+ The only versions not affected by this are the ones in Ubuntu eoan and focal, 
as they hardcoded SHA256 instead of MD5 as a workaround to code failing because 
MD5 went away.

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to python-apt in Ubuntu.
https://bugs.launchpad.net/bugs/1858972

Title:
  python-apt uses MD5 for validation

Status in python-apt package in Ubuntu:
  Fix Released

Bug description:
  Only MD5 is checked (most versions)
                                                                                
                                                                               
  In stable releases, and unstable, they only check MD5 sums of the files they 
download. 1.9.0 was broken as it still refered to the md5 field, but the field 
went away, so it would raise an exception if you tried to use it - so that's 
safe :D
                                                                                
                                                                               
  experimental (1.9.1) checks all hash sums, but only if some are present - it 
would happily accept an empty list of hashes - 1.9.2 will fix this issue by 
checking that the list of hashes is "usable", as it's called in apt, completing 
the proper fix.
                                                                                
                                                                               
  The only versions not affected by this are the ones in Ubuntu eoan and focal, 
as they hardcoded SHA256 instead of MD5 as a workaround to code failing because 
MD5 went away.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/python-apt/+bug/1858972/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to