ryandesign at macports.org
Sun Jan 16 03:10:27 PST 2011
On Jan 16, 2011, at 00:59, Joshua Root wrote:
[in response to a commit by snc]
> You've committed a lot of updates lately where the submitter's patch
> contained an rmd160 checksum but you removed it. Is there a good reason
> for this?
I've committed lots of updates lately where I use only the sha1 and rmd160 checksums, omitting the md5 checksum. As we've discussed before, there is good reason to use more than just a single checksum algorithm (security against a vulnerability being discovered in any one checksum algorithm), but I see no point to using more than two checksum algorithms. And I picked the two newest algorithms, since for many other applications md5 is already considered obsolete. I suggest this is what we should do going forward. Perhaps we could change the "port -d checksum" output to no longer suggest the md5 checksums. As we update ports, we should remove md5 checksums, preferring the sha1/rmd160 pair. And perhaps a couple years down the road we can remove md5 support from MacPorts entirely.
More information about the macports-dev