So many formats, So few packages
Anders F Björklund
afb at macports.org
Thu Apr 7 12:13:54 PDT 2011
I wrote
>> If you want to ignore this part of the problem definition and not sign your packages, the "real goal" becomes distributing binaries without caring about their integrity or the resulting risk for people using them. If you look around at other contenders in the packaged open source distribution business, that's not where the mark is set.
>
> The ".rmd160" file is the signature of the ".tbz2" compressed tarball that approximates a "package".
Also the reason it is using RIPEMD-160 instead of SHA-256 is because it is included with Mac OS X, same as the reason it is using bzip2 instead of xz is because it is included with Mac OS X...
But even if MacPorts would use "CHECKSUMS.md5.asc" (MD5) and .tgz (gzip), that would *still* be "good enough" compared to not doing any binaries at all. The sources are unsigned and much bigger.
--anders
More information about the macports-dev
mailing list