Bug #18356
closed
Please replace use of unsafe MD5 with another digest algorithm
Description
Similarly to https://bugs.ruby-lang.org/issues/18272
Context¶
When working on a new version of RHEL (with Ruby 3.0), the requirement is to have a better security (remove unsafe digests or limit the use for non-security purposes). This would be achieved with using OpenSSL 3.0 as well, which will have a raised security level by default, forbidding the use of unsafe digests.
Issue¶
MD5 does not conform to the security requirements, and its replacement would be preferred.
Currently, the following files indicate it's use:
rubygems/package.rb: return super unless gem.start.include? 'MD5SUM ='
bundler/compact_index_client/cache.rb: name += "-#{SharedHelpers.digest(:MD5).hexdigest(name).downcase}"
bundler/compact_index_client/updater.rb: SharedHelpers.digest(:MD5).hexdigest(File.read(path))
bundler/source/rubygems/remote.rb: uri_digest = SharedHelpers.digest(:MD5).hexdigest(uri_parts.compact.join("."))
bundler/vendor/thor/lib/thor/runner.rb: :filename => Digest::MD5.hexdigest(name + as),
Alternative solution¶
The use for non-security purposes might be indicated with setting an internal variable (when using OpenSSL implementation), which would allow the use of MD5 (although forbidden via OpenSSL setting). Do you think this would be possible?
Question¶
AFAICT in Ruby it is used for non-security purposes only. Could you confirm that?
Additional information¶
The tests failed on digests/md5 removal:
https://gist.github.com/pvalena/ce6af993c6fe7c825cc41be81e1944ad
Updated by 
Updated by 
Updated by 
Updated by 
Updated by