Get rid of md5 support for fixed-output derivations

[domenkozar]

We're in 2014 and even universities have a course where students forge md5 hashes of files.

Biggest usage of md5 hashes in nixpkgs is python, followed by libreoffice (scripted install).

$ git grep "md5 ="|grep -v libreoffice | grep -v python-|grep -v redhat|grep -v suse|wc -l                                                                                                        
141

$ git grep "md5 =" pkgs/top-level/python-packages.nix | wc -l
273

Observations:

nix-prefetch- should print out multiple hashes together with fetch functions supporting and verifying all of specified hashes

Q/A:

it is considered best practice to use it when that's what upstream provides

That's a very bad security practice. It trades user security for few seconds of maintainer time.

TODO

• libreoffice uses md5 during generation
• pkgs/games/steam/runtime-generated.nix uses md5 during generation
• 91 other derivations
• deprecate md5 support
• revert 2ca8833

[robberer]

This is not as trivial as i thought because nix-prefetch-url does not check if the downloaded archive is a valid archive. e.g. my update for cups is invalid because nix-prefetch-url just downloaded a HTML file instead of an tar.bz2. i will prepare a fix. At least for cups. Or should we revert commit ?

[domenkozar]

Fixing cups is OK.

[copumpkin]

👍

[copumpkin]

Can we broaden this to also deprecate sha1 for similar reasons? It's not as broken as md5, but it's also not considered particularly good when used for security purposes.

[copumpkin]

Perhaps fetchurl and friends could even display a warning when passed md5 or sha1s that tells you that the practice is deprecated and give you a sha256 to replace it with in the expression.

[7c6f434c]

Can we broaden this to also deprecate sha1 for similar reasons? It's not as broken as md5, but it's also not considered particularly good when used for security purposes.

Unfortunately, some projects still publish signed lists of SHA1s and
some Nix package maintainers seem to use these lists.

Another problem is that we don't seem to support SHA512: Firefox has
official SHA1 list and SHA512 list.

[copumpkin]

Perhaps we could then include both, making the sha256 attribute mandatory? The sha1/md5 can be used to check against upstream lists, whereas the sha256 serves to give you certainty that what you're deploying is what you think it is.

[7c6f434c]

Perhaps we could then include both, making the sha256 attribute mandatory? The sha1/md5 can be used to check against upstream lists, whereas the sha256 serves to give you certainty that what you're deploying is what you think it is.

For firefox-bin the whole feasibility of including all the languages
hinges on not downloading all the packages but using Mozilla-provided
checksum lists.

[vcunat]

I think forbidding sha1 is a huge overkill ATM. In most packages there's even no way of securely retrieving the hash/tarball (no signature or https at least).

If I wanted to attack nixpkgs, I'd become a contributor, so I'd get commit access relatively easily, and then I could sneak in whatever forged hashes I needed (unlikely to be noticed if done well).