mirror/flatpak
1
0
Fork 0
mirror of https://github.com/flatpak/flatpak.git synced 2026-03-10 11:12:46 -04:00
Code Issues Packages Projects Releases Wiki Activity

dir: Use SHA256, not SHA1, to name the cache for a filtered remote

Browse Source 
SHA1 hashes are considered weak these days. Some distributions have
static analysis tools to detect the use of such weak hashes, and they
get triggered by flatpak. While this particular use of SHA1 in flatpak
is likely not security sensitive, it's also easy to move to SHA256 to
avoid any debate.

Here, the SHA1 hash of a named remote's filter file is used to generate
the name of the directory where the refs from that remote are cached.
One can reasonably assume that the cache is frequently invalidated
because the list of refs on the remote changes all the time. Hence,
it's not big problem if it gets invalidated once more because of this
change.
This commit is contained in:
Debarshi Ray
2022-01-31 21:17:29 +01:00
committed by Simon McVittie
parent e017db9c5c
commit 5c59f1b2a8
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
common/flatpak-dir.c
View File

@@ -10923,7 +10923,7 @@ remote_filter_load (GFile *path, GError **error)
}
filter = g_new0 (RemoteFilter, 1);
filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA1, (guchar *)data, data_size);
filter->checksum = g_compute_checksum_for_data (G_CHECKSUM_SHA256, (guchar *)data, data_size);
filter->path = g_object_ref (path);
filter->mtime = mtime;
filter->last_mtime_check = g_get_monotonic_time ();