[75134] trunk/dports/net/mtr/Portfile

Blair Zajac blair at orcaware.com
Sun Jan 16 11:35:43 PST 2011

I'm not sure what you're saying.  Let me restate myself, if the upstream only provides an md5, then we should at least include that one, plus a sha1 or rmd160.


On Jan 16, 2011, at 10:40 AM, Jeremy Lavergne wrote:

> That doesn't make much sense.
> Why would we restrict ourselves below the preferred 2 hashes?
> "Blair Zajac" <blair at orcaware.com> wrote:
>> On 1/16/11 3:10 AM, Ryan Schmidt wrote:
>>> On Jan 16, 2011, at 00:59, Joshua Root wrote:
>>> [in response to a commit by snc]
>>>> You've committed a lot of updates lately where the submitter's patch
>>>> contained an rmd160 checksum but you removed it. Is there a good
>> reason
>>>> for this?
>>> I've committed lots of updates lately where I use only the sha1 and
>> rmd160 checksums, omitting the md5 checksum. As we've discussed before,
>> there is good reason to use more than just a single checksum algorithm
>> (security against a vulnerability being discovered in any one checksum
>> algorithm), but I see no point to using more than two checksum
>> algorithms. And I picked the two newest algorithms, since for many
>> other applications md5 is already considered obsolete. I suggest this
>> is what we should do going forward. Perhaps we could change the "port
>> -d checksum" output to no longer suggest the md5 checksums. As we
>> update ports, we should remove md5 checksums, preferring the
>> sha1/rmd160 pair. And perhaps a couple years down the road we can
>> remove md5 support from MacPorts entirely.
>> However, if the upstream source only provides an md5 checksum, then we
>> should 
>> use that checksum.
>> Blair
>> _______________________________________________
>> macports-dev mailing list
>> macports-dev at lists.macosforge.org
>> http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev

More information about the macports-dev mailing list