Let's avoid using md5 as checksum
Boyd Waters
bwaters at nrao.edu
Fri Feb 15 19:48:41 PST 2008
On Feb 15, 2008, at 8:21 PM, Ryan Schmidt wrote:
> I would agree that ports should not use md5 alone, but I would also
> say that ports should not use sha1 or rmd160 alone. Ports should use
> all three checksum types.
>
> port lint should warn if a portfile uses just a single type of
> checksum for a file.
I'm a bit surprised at this.
Technically three sorts of checksum is very strong, but what are we
concerned about here?
I don't think that the problem is malicious code injection. You can
examine the source code if you care to do so..
I think that the checksums provide an easy way to determine that the
correct source distributions have been downloaded. Often downloads are
corrupted. Some distributions do not use version numbers on the file
name; the checksum tells you that you have the correct bits.
MD5 is sufficient for verifying a successful download of a source
tarball.
MD5 may not be sufficient to prevent evil hackers from adding
malicious elements to the source code, but in practice this is not
going to happen: the attacker must transform the code into something
that still compiles, performs their nefarious deeds, and has a given
MD5 hash. I'd love to see a demonstration of that!
That said, I use rmd160 and sha1 for my ports, so who's being paranoid
here? :-)
- boyd
Boyd Waters
Scientific Programmer (and failed MacPorts developer)
National Radio Astronomy Observatory
Socorro, New Mexico
More information about the macports-dev
mailing list