Let's avoid using md5 as checksum

js ebgssth at gmail.com
Fri Feb 15 21:29:51 PST 2008


> You might say we should therefore use sha1 or rmd160 instead. But
> what if a similar problem is discovered in sha1 or rmd160?

MD5 already has one, others are not.

> Even if flaws exist in all three checksum algorithms that enable
> differing files to have the same checksum, it is virtually impossible
> for such a flaw to affect more than one checksum algorithm at a time.
> That is, take two different files A and B which have been constructed
> so that their md5 sums are the same. I will eat my hat if they also
> have the same sha1 sums or the same rmd160 sums.
>
> Therefore, use more than one checksum and the weakness of any
> individual algorithm becomes unimportant.

That's make sense.
Anyway, the thing is, not dropping MD5 as a checksum but encourage
ports author to write more secure Portfile.
For this porpose, I like your idea that warns portfile author when
checksum is not secure enough.


More information about the macports-dev mailing list