-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use of sha1sum in official image Dockerfiles should be replaced with use of a stronger digest function #1185
Use of sha1sum in official image Dockerfiles should be replaced with use of a stronger digest function #1185
Comments
We would love to do this but we can only use what upstream releases. I looked at a few and here is what I found:
So we would really need to talk to the release team of each upstream project to convince them to release more secure hashes. If there are some projects that now have a better hash we would gladly accept a PR to improve them. |
At https://github.com/docker-library/official-images#security, the example already uses SHA-256, so that's good. I suggest that the documentation be amended slightly to explicitly call out that SHA-256 or better be used and that SHA-1 and MD5 shouldn't be used.
I agree. I think that having the documentation explicitly recommending a more secure hash would be a good step in convincing them. Then people can open PRs in those projects pointing to that part of the documentation as evidence that the change is important. |
See https://github.com/search?q=org%3Adocker-library+sha1sum&type=Code, which shows a lot of Dockerfiles are checking the integrity of packages with sha1sum.
We could speculate on how easy it would be to send an open source project a patch that gets merged that would enable a SHA-1 collision that would result in something bad happening to somebody, but let's not.
Instead, I suggest that the guidelines for Dockerfile authors should be updated to explicitly say that SHA-256 or SHA-384 should be used to verify file integrity, instead of
sha1sum
. And then, if there is some way of doing so, it would be good to contact current Dockerfile authors and ask them to update their scripts.The text was updated successfully, but these errors were encountered: