[68957] trunk/base/ChangeLog

Blair Zajac blair at orcaware.com
Wed Jun 23 17:25:45 PDT 2010


On 06/23/2010 05:21 PM, Eric Hall wrote:
> On Wed, Jun 23, 2010 at 07:15:47PM -0500, Ryan Schmidt wrote:
> [snip]
>
>> For another, I'm unsure we really need sha256 checksums in there. It's already complete overkill that we're putting three different checksums; using four verges on crazy. The only reason we put more than one checksum at all is to prevent a vulnerability in any single checksum algorithm from compromising MacPorts' integrity, but this possibility itself is already so extremely remote as to be of virtually no interest at all. Really the only purpose the checksums need to serve is to ensure the distfile the user downloaded is the same one the port maintainer tested with.

Agreed.

> 	FWIW, I tend to agree that adding a fourth checksum is a bit overkill.  It might
> be worth upgrading one of the older checksums (md5, sha1) to sha256 though.

Many projects still report md5's and sha1's, so it would be useful to 
have that there so one can just copy paste the checksum into the portfile.

Blair



More information about the macports-dev mailing list