[76684] trunk/dports/sysutils/rpm/Portfile

Jeff Johnson n3npq at mac.com
Sun Mar 6 06:29:41 PST 2011

On Mar 6, 2011, at 5:24 AM, Anders F Björklund wrote:

> Ryan Schmidt wrote:
>>> I guess the checksums are the next lint complaint ?
>>> Since the old ports are still using MD5, I mean...
>> Less important than nagging about ports still using md5 at this point would be to nag about ports only using a single checksum type for a distfile. :/ In such a nag, it could be recommended to use sha1 and rmd160.
> Or just one sha256, but yeah that is what I meant.
> It would be more useful to add the download size,
> than to use two separate 160-bit checksum lines ?

(obscure aside)
I used to believe that the combination of a size+digest
"no tampering" check was sufficiently stronger than using
more bits in the digest, or adding a second (and longer) digest.

Turns out that there are many MD5 exploits that do not change
file size.

But without an explicit "threat model" for downloads, its difficult
to discuss whether 2 digests is "better" than everything SHA* or
digest+size as a policy rule for downloading.

In reality the digest is more of an integrity than a security check (imho)
for downloaders, and even CRC would be gud enuf for integrity (but not security)

73 de Jeff

More information about the macports-dev mailing list