Bug 834743 - fedpkg is depending on md5, which is not allowed in fips mode
fedpkg is depending on md5, which is not allowed in fips mode
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: fedpkg (Show other bugs)
24
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: cqi
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-23 01:08 EDT by Paul Wouters
Modified: 2018-04-11 04:28 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-12-13 03:18:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Paul Wouters 2012-06-23 01:08:22 EDT
fedpkg won't work in fips mode because it checks the file download cheksums in the sources file using md5.

md5 is weak, and we should not trust it to verify network obtained files.

It would be good if we can migrate away from md5 in the sources file to sha1 or sha256. As this migration will probably take a while, due to packagers needing to update their sources files, it should start sooner rather then later.
Comment 1 Kamil Dudka 2012-08-28 08:41:54 EDT
Is there any workaround for this bug?
Comment 2 Fedora Admin XMLRPC Client 2012-11-30 13:27:28 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Fedora End Of Life 2013-04-03 10:32:24 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 4 Dennis Gilmore 2013-12-15 19:20:48 EST
lookaside cache needs md5. right now it is absolutely required. we need to convert the whole lookaside cache to sha356sum to move off of needing md5
Comment 5 Jan Kurik 2015-07-15 11:07:14 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Comment 6 Jan Kurik 2016-02-24 08:11:38 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 7 cqi 2016-08-23 04:00:58 EDT
Is sha512sum okay?
Comment 8 Lubomír Sedlář 2016-12-13 03:18:26 EST
As of Dec 12 and fedpkg-1.26 newly uploaded sources will use SHA512.

https://fedoraproject.org/wiki/ReleaseEngineering/FlagDay2016
Comment 9 Paul Wouters 2016-12-13 14:39:28 EST
awesome! Thanks!

Note You need to log in before you can comment on or make changes to this bug.