Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Removes md5 and sha1 from checksum defaults #1123

Merged
merged 1 commit into from Feb 12, 2021
Merged

Removes md5 and sha1 from checksum defaults #1123

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/scripts/install.sh
View file
Open in desktop
Expand Up @@ -61,7 +61,7 @@ services:
VARSYAML

cat >> vars/main.yaml << VARSYAML
pulp_settings: {"allowed_content_checksums": ["sha1", "sha224", "sha256", "sha384", "sha512"], "allowed_export_paths": ["/tmp"], "allowed_import_paths": ["/tmp"]}
pulp_settings: {"allowed_export_paths": ["/tmp"], "allowed_import_paths": ["/tmp"]}
VARSYAML

if [[ "$TEST" == "pulp" || "$TEST" == "performance" || "$TEST" == "s3" || "$TEST" == "plugin-from-pypi" ]]; then
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/scripts/script.sh
View file
Open in desktop
Expand Up @@ -34,7 +34,7 @@ if [[ "$TEST" = "docs" || "$TEST" = "publish" ]]; then
echo "Validating OpenAPI schema..."
cat $PWD/.ci/scripts/schema.py | cmd_stdin_prefix bash -c "cat > /tmp/schema.py"
cmd_prefix bash -c "python3 /tmp/schema.py"
# cmd_prefix bash -c "pulpcore-manager spectacular --file pulp_schema.yml --validate"
cmd_prefix bash -c "pulpcore-manager spectacular --file pulp_schema.yml --validate"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are there changes in plugin_template?
Basically is it a custom change or rolled out from the plugin template?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Kind of surprisingly, there weren't changes needed in the plugin template. I reapplied the HEAD of plugin_template and it produced this. This particular line is just some unrelated change being brought in from its reapplication.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yea this check was added a while ago but enabled post-3.10.

pulp/plugin_template@556276a


if [ -f $POST_DOCS_TEST ]; then
source $POST_DOCS_TEST
Expand Down
3 changes: 3 additions & 0 deletions CHANGES/8246.removal
View file
Open in desktop
@@ -0,0 +1,3 @@
Adjusted the ``ALLOWED_CONTENT_CHECKSUMS`` setting to remove ``md5`` and ``sha1`` since they are
insecure. Now, by default, the ``ALLOWED_CONTENT_CHECKSUMS`` contain ``sha224``, ``sha256``,
``sha384``, and ``sha512``.
3 changes: 3 additions & 0 deletions CHANGES/plugin_api/8246.removal
View file
Open in desktop
@@ -0,0 +1,3 @@
Adjusted the ``ALLOWED_CONTENT_CHECKSUMS`` setting to remove ``md5`` and ``sha1`` since they are
insecure. Now, by default, the ``ALLOWED_CONTENT_CHECKSUMS`` contain ``sha224``, ``sha256``,
``sha384``, and ``sha512``.
18 changes: 7 additions & 11 deletions docs/settings.rst
View file
Open in desktop
Expand Up @@ -247,23 +247,19 @@ PROFILE_STAGES_API
ALLOWED_CONTENT_CHECKSUMS
^^^^^^^^^^^^^^^^^^^^^^^^^

The list of content-checksums this pulp-instance is **allowed to use**. This list is a
proper subset of the checksums defined by the Artifact model. You may safely list fewer
algorithms than the Artifact model supports (although see the warning below regarding ``sha256``),
but adding unknown algorithms will cause unexpected behavior.
The list of content-checksums this pulp-instance is **allowed to use**. By default the following
are used::

See :ref:`Configuration` for details on how to change configuration-options.
ALLOWED_CONTENT_CHECKSUMS = ["sha224", "sha256", "sha384", "sha512"]

The entire set of supported checksums are: ``md5``, ``sha1``, ``sha224``, ``sha256``,
``sha384``, and ``sha512``. After modifying this setting, you likely will need to run
``pulpcore-manager handle-artifact-checksums`` or Pulp will refuse to start.

.. warning::
Due to its use as a primary content-identifier, "sha256"" **IS REQUIRED**. Pulp will
fail to start if it is not found in this set.

.. warning::
Specifying checksums that are not available to models.Artifact will cause Pulp to fail to start.
The complete set of supported checksum algorithms includes the following:

``{"md5", "sha1", "sha224", "sha256", "sha384", "sha512"}``

.. warning::
If Pulp fails to start because forbidden checkums have been identified or required ones are
missing, run ``pulpcore-manager handle-artifact-checksums`` command. This command is in
Expand Down
2 changes: 1 addition & 1 deletion pulpcore/app/settings.py
View file
Open in desktop
Expand Up @@ -254,7 +254,7 @@
# NOTE : "sha256"" IS REQUIRED - Pulp will fail to start if it is not found in this set
# NOTE: specifying checksums that are not listed under ALL_KNOWN_CONTENT_CHECKSUMS will fail
# at startup
ALLOWED_CONTENT_CHECKSUMS = ["md5", "sha1", "sha224", "sha256", "sha384", "sha512"]
ALLOWED_CONTENT_CHECKSUMS = ["sha224", "sha256", "sha384", "sha512"]

# HERE STARTS DYNACONF EXTENSION LOAD (Keep at the very bottom of settings.py)
# Read more at https://dynaconf.readthedocs.io/en/latest/guides/django.html
Expand Down
6 changes: 0 additions & 6 deletions template_config.yml
View file
Open in desktop
Expand Up @@ -30,12 +30,6 @@ plugin_name: pulpcore
plugin_snake: pulpcore
publish_docs_to_pulpprojectdotorg: true
pulp_settings:
allowed_content_checksums:
- sha1
- sha224
- sha256
- sha384
- sha512
allowed_export_paths:
- /tmp
allowed_import_paths:
Expand Down