Let's avoid using md5 as checksum

William Allen Simpson wsimpson at macports.org
Sat Feb 16 00:11:23 PST 2008


On Feb 16, 2008 2:57 AM, Ryan Schmidt <ryandesign at macports.org> wrote:
> On Feb 16, 2008, at 01:49, William Allen Simpson wrote:
> > As long as we ONLY use hashes generated by the distfile author,
> > located on the distfile site, and NEVER generate our own, we'll be fine.
>
> But we don't do that. At least, I'm constantly generating my own
> checksums for my portfiles. The developers of most of my ports do not
> provide checksums.
>
Trust is not transitive.

If you download a file, and generate your own hash, that really defeats
the whole purpose of tarball verification.  Then, it doesn't matter what
checksum is used, or its cryptographic strength, as you have no way of
indicating who generated that hash.


More information about the macports-dev mailing list