Filesize in Portfiles (was Re: [76684] trunk/dports/sysutils/rpm/Portfile)

Anders F Björklund afb at
Tue Mar 8 23:55:51 PST 2011

Joshua Root wrote:

>>>> Kind of begs the question:  Do we need this many checksums?  md5 and sha1 are weak hashes, sure, but how about sha256?
>>> Apparently MacPorts prefers using sha1+rmd160 over sha256, and also it was "too long" (fixed by automating, or using base-32)
>>> The md5 is more of a left-over, though still used by many upstreams. But think it's currently being recommended against using ?
>> Per my recollection, sha256 is now supported in base (using base-32 encoding?). I know that one concern with use of base-32 was that if the checksum was mirroring one in upstream that the value would appear different. It would seem to be wise to try to auto-detect the format of this checksum based on length, so that ether the hex or base-32 encoding would be accepted. We would prefer base-32, but accept hex encoding as well for a case where upstream uses that format.
> Was there really a genuine complaint that sha256 is too long? FWIW, I
> don't think the length is a problem; in fact, having two possible
> formats seems more inconvenient than a long line.

I was missing /sbin/sha256 myself, but I added it to /usr/local...
For some reason it was ifdef'd away in Snow Leopard libmd/text_cmds.
But as noted, one could just use python or perl instead (for sha256).
That would be: perl's "shasum -a 256" or python's "hashlib.sha256"

I think it's more that gzip/md5 (or bzip2/sha1) is "good enough",
than actually avoiding xz/sha256. At least I hope that's the case ?
Personally I think it's more interesting to check the _contents_,
than to calculate digests on a compressed archive, but anyway...

> There was meant to be sha256 support in 1.9 BTW, but it's slightly
> broken, so it's (still) a trunk only feature for now.

It is ? Oh well, you can use any of my sha256 or base32hex code
if you want to fix it. I stopped using MacPorts for other reasons.
If you want to revisit checksums, you might want to to move them
to a separate file as well. Like being done in ports or portage ?

Then you could add a digest or distfile information, without the
need to rewrite all the Portfiles. And automate it much easier...
You do something like "make makesum" or "ebuild *.ebuild manifest",
instead of "port -d checksum && copy && paste" or whatever it is.


More information about the macports-dev mailing list