Let's avoid using md5 as checksum

js ebgssth at gmail.com
Fri Feb 15 21:48:07 PST 2008


NP, author has free to ignore the warning message ;)

On Feb 16, 2008 2:36 PM, Ryan Schmidt <ryandesign at macports.org> wrote:
>
>
> On Feb 15, 2008, at 23:29, js wrote:
>
> >> You might say we should therefore use sha1 or rmd160 instead. But
> >> what if a similar problem is discovered in sha1 or rmd160?
> >
> > MD5 already has one, others are not.
> >
> >> Even if flaws exist in all three checksum algorithms that enable
> >> differing files to have the same checksum, it is virtually impossible
> >> for such a flaw to affect more than one checksum algorithm at a time.
> >> That is, take two different files A and B which have been constructed
> >> so that their md5 sums are the same. I will eat my hat if they also
> >> have the same sha1 sums or the same rmd160 sums.
> >>
> >> Therefore, use more than one checksum and the weakness of any
> >> individual algorithm becomes unimportant.
> >
> > That's make sense.
> > Anyway, the thing is, not dropping MD5 as a checksum but encourage
> > ports author to write more secure Portfile.
> > For this porpose, I like your idea that warns portfile author when
> > checksum is not secure enough.
>
> Of course, this won't make Rainer happy. :-)
>
> http://trac.macosforge.org/projects/macports/browser/trunk/dports/
> editors/vim/files/patchlist?rev=34037
>
> Look at all them pretty md5s...
>
>


More information about the macports-dev mailing list