[70413] trunk/dports/devel/ppl/Portfile

Ryan Schmidt ryandesign at macports.org
Sun Aug 8 15:09:51 PDT 2010


On Aug 8, 2010, at 16:56, Andrew Fernandes wrote:

> Hi, Ryan -
>  
>> You should always use at least two different checksum types.
> 
> If that's policy, I can do that without problem.
> 
> I am, however, curious as to why. It is virtually impossible for any of those cryptographic hashes to be faked/foiled/diddled with. Since they encode both length and content, any of them is generally considered to be interchangeable with a unique file.
> 
> (I used to make my living as a cryptographer - so I'm genuinely interested in the "two hash" policy. Cryptographic hashes are much "stronger" than standard checksums and can be used for things that checksums can't...)

I was basing this on the following:

http://lists.macosforge.org/pipermail/macports-dev/2010-June/012253.html

It seems it's no longer "virtually impossible", but rather very easy, for someone to generate two files, one good and one malicious, that have the same hash, in any one particular algorithm (or at least, md5 has been demonstration, and I assume the same can be done with the others either now or soon). Using at least two different algorithms for our checksums prevents any such eventuality




More information about the macports-dev mailing list