Let's avoid using md5 as checksum
Rainer Müller
raimue at macports.org
Fri Feb 15 20:02:54 PST 2008
Ryan Schmidt wrote:
> Disagree. Three types of checksums (md5, sha1, rmd160) in a portfile
> are stronger than just two.
>
> I would agree that ports should not use md5 alone, but I would also
> say that ports should not use sha1 or rmd160 alone. Ports should use
> all three checksum types.
If we would do it correctly, we should only use hashes published by the
authors of the software. Although many don't provide any, this would be
the only way to be sure the file is the correct one.
If a port maintainer creates the hashes, who ensures that he got the
right file and not a compromised one? But if no checksums are provided
upstream, Portfile authors will of course have to generate hashes themself.
We could also add other hashes, basically everything libcrypto provides
as we are linking to it anyways.
> port lint should warn if a portfile uses just a single type of
> checksum for a file.
Maybe this is desired as the original authors only released one checksum
type? But sure we could encourage addition of other checksums this way.
In conclusion, as long as we do not take care if the Portfile itself was
transferred secure, we do not have any security by using checksums for
fetches. So checksums just prevent anybody from accidentally using a
corrupted file.
Rainer
More information about the macports-dev
mailing list