sha1 and rmd160

Arno Hautala arno at alum.wpi.edu
Fri Apr 6 06:07:49 PDT 2012


On 2012-04-06, Craig Treleaven <ctreleaven at cogeco.ca> wrote:
>
> Just curious, why two checkums?  Is one not sufficient?

One thought would be that while one hash algorithm may exhibit a flaw
that allows arbitrary changes to the payload without altering the
hash, it's extremely unlikely that two hashes would be affected in the
same way.

I don't think MacPorts actually verifies every hash that is provided
in the Portfile.

I think the actual reason is to provide a backup hash if the first
algorithm isn't available. Though, I'm pretty sure rmd160 and sha256
have been available in OS X for quite some time, via openssl, python,
perl, etc.

Hmm, apparently a year ago sha256 support was broken in MacPorts
anyway, I'm not sure if that's been corrected.

It'd certainly be simpler to document if only one hash algorithm was
"blessed", with all others marked for removal by a certain date /
version.

-- 
arno  s  hautala    /-|   arno at alum.wpi.edu

pgp b2c9d448


More information about the macports-dev mailing list