| Message ID | 20260513144621.440431-1-JPEWhacker@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [bitbake-devel] fetch: Upgrade shown checksum to SHA-512 | expand |
On Wed, 13 May 2026 at 16:46, Joshua Watt via lists.openembedded.org <JPEWhacker=gmail.com@lists.openembedded.org> wrote: > CHECKSUM_LIST = [ "goh1", "md5", "sha256", "sha1", "sha384", "sha512" ] > -SHOWN_CHECKSUM_LIST = ["sha256"] > +SHOWN_CHECKSUM_LIST = ["sha256", "sha512"] This raises so many questions :) - why suggest adding/fixing both sha256 and sha512 to users, and not just sha512? One checksum is enough, and causes less visual clutter in recipes - if sha512 is suggested, should devtool be tweaked to add that in version upgrades and newly added recipes? (something similar was previously done to assist md5 to sha256 transition) - last but not least, should we look into adding support for better, newer ways to identify commits in git, replacing the classic, not-that-secure sha1 ? Alex
On Wed, May 13, 2026 at 2:21 PM Alexander Kanavin <alex.kanavin@gmail.com> wrote: > > On Wed, 13 May 2026 at 16:46, Joshua Watt via lists.openembedded.org > <JPEWhacker=gmail.com@lists.openembedded.org> wrote: > > CHECKSUM_LIST = [ "goh1", "md5", "sha256", "sha1", "sha384", "sha512" ] > > -SHOWN_CHECKSUM_LIST = ["sha256"] > > +SHOWN_CHECKSUM_LIST = ["sha256", "sha512"] > > This raises so many questions :) > - why suggest adding/fixing both sha256 and sha512 to users, and not > just sha512? One checksum is enough, and causes less visual clutter in > recipes I suspect we'd want to make SHA-512 the only option by the next LTS. I don't have a strong opinion if we do that now or in a future release. > - if sha512 is suggested, should devtool be tweaked to add that in > version upgrades and newly added recipes? (something similar was > previously done to assist md5 to sha256 transition) Probably, but only if we make SHA 512 the only option, so see above. > - last but not least, should we look into adding support for better, > newer ways to identify commits in git, replacing the classic, > not-that-secure sha1 ? I've not seen any guidance about what to do with git SHAs in e.g. BSI TR-03183, so I'm operating under the assumption that SHA 1 is fine for now. If you know of a better way to do it, and/or see some specification that demands we do something different, we can discuss that. Either way, I would consider changing the way git works as out of scope for this change. > > Alex
On Wed, 2026-05-13 at 08:46 -0600, Joshua Watt via lists.openembedded.org wrote: > Regulatory standards for Software Bill of Materials like BSI TR-03183 > [1] are requiring SHA 512 as the minimum checksum for validation. > Upgrade the checksum suggested by the bitbake fetcher to align with this > requirement. > > Note that the checker has allowed SHA 512 as the checksum for some time > now, this only changes the checksum that is suggested by tooling. > > [1]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html > > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> > --- > lib/bb/fetch2/__init__.py | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py > index f7d5dfe9a..1e78c4fda 100644 > --- a/lib/bb/fetch2/__init__.py > +++ b/lib/bb/fetch2/__init__.py > @@ -35,7 +35,7 @@ _revisions_cache = bb.checksum.RevisionsCache() > logger = logging.getLogger("BitBake.Fetcher") > > CHECKSUM_LIST = [ "goh1", "md5", "sha256", "sha1", "sha384", "sha512" ] > -SHOWN_CHECKSUM_LIST = ["sha256"] > +SHOWN_CHECKSUM_LIST = ["sha256", "sha512"] > > class BBFetchException(Exception): > """Class all fetch exceptions inherit from""" > This change will need a tweak to one of the devtool tests: devtool.DevtoolUpgradeTests.test_devtool_upgrade_drop_md5sum https://autobuilder.yoctoproject.org/valkyrie/#/builders/48/builds/3720 https://autobuilder.yoctoproject.org/valkyrie/#/builders/35/builds/3853 Cheers, Richard
diff --git a/lib/bb/fetch2/__init__.py b/lib/bb/fetch2/__init__.py index f7d5dfe9a..1e78c4fda 100644 --- a/lib/bb/fetch2/__init__.py +++ b/lib/bb/fetch2/__init__.py @@ -35,7 +35,7 @@ _revisions_cache = bb.checksum.RevisionsCache() logger = logging.getLogger("BitBake.Fetcher") CHECKSUM_LIST = [ "goh1", "md5", "sha256", "sha1", "sha384", "sha512" ] -SHOWN_CHECKSUM_LIST = ["sha256"] +SHOWN_CHECKSUM_LIST = ["sha256", "sha512"] class BBFetchException(Exception): """Class all fetch exceptions inherit from"""
Regulatory standards for Software Bill of Materials like BSI TR-03183 [1] are requiring SHA 512 as the minimum checksum for validation. Upgrade the checksum suggested by the bitbake fetcher to align with this requirement. Note that the checker has allowed SHA 512 as the checksum for some time now, this only changes the checksum that is suggested by tooling. [1]: https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Standards-und-Zertifizierung/Technische-Richtlinien/TR-nach-Thema-sortiert/tr03183/TR-03183_node.html Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> --- lib/bb/fetch2/__init__.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)