Let's avoid using md5 as checksum

Ryan Schmidt ryandesign at macports.org
Fri Feb 15 21:36:44 PST 2008


On Feb 15, 2008, at 23:29, js wrote:

>> You might say we should therefore use sha1 or rmd160 instead. But
>> what if a similar problem is discovered in sha1 or rmd160?
>
> MD5 already has one, others are not.
>
>> Even if flaws exist in all three checksum algorithms that enable
>> differing files to have the same checksum, it is virtually impossible
>> for such a flaw to affect more than one checksum algorithm at a time.
>> That is, take two different files A and B which have been constructed
>> so that their md5 sums are the same. I will eat my hat if they also
>> have the same sha1 sums or the same rmd160 sums.
>>
>> Therefore, use more than one checksum and the weakness of any
>> individual algorithm becomes unimportant.
>
> That's make sense.
> Anyway, the thing is, not dropping MD5 as a checksum but encourage
> ports author to write more secure Portfile.
> For this porpose, I like your idea that warns portfile author when
> checksum is not secure enough.

Of course, this won't make Rainer happy. :-)

http://trac.macosforge.org/projects/macports/browser/trunk/dports/ 
editors/vim/files/patchlist?rev=34037

Look at all them pretty md5s...



More information about the macports-dev mailing list