Let's avoid using md5 as checksum
Eric Hall
opendarwin.org at darkart.com
Fri Feb 15 19:48:39 PST 2008
On Sat, Feb 16, 2008 at 04:36:12AM +0100, Rainer M?ller wrote:
> js wrote:
> > As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
> > So recently I don't use it and even remove it when I found it in the
> > checksum part of portfile.
> > I thought dropping use of md5 in portfile would be nice.
> >
> > Any thought?
>
> I don't think these flaws are strong enough to discourage use of MD5 as
> a hashsum for file verification yet.
>
Leave in MD5, add one of the others as needed.
Note that the (currently known) flaws in MD5 involve generating
specific files ahead of time, not finding a matching MD5 for an existing file.
Which brings us to: How well do maintainers verify that the
distfile they download and checksum is "valid"? Sure, it unpacks and
builds (well, we sure hope so), but do they know that the authors of
the distfile put together that distfile? I suspect this is a weaker
point that MD5 alone is.
-eric
More information about the macports-dev
mailing list