sha1 and rmd160
Clemens Lang
cal at macports.org
Fri Apr 6 06:12:36 PDT 2012
On Fri, Apr 06, 2012 at 09:07:49AM -0400, Arno Hautala wrote:
> I don't think MacPorts actually verifies every hash that is provided
> in the Portfile.
It does verify every checksum the Portfile provides.
> I think the actual reason is to provide a backup hash if the first
> algorithm isn't available. Though, I'm pretty sure rmd160 and sha256
> have been available in OS X for quite some time, via openssl, python,
> perl, etc.
No, the actual reason is having a second hash in place when one of them
is cryptographically broken, as you pointed out.
> Hmm, apparently a year ago sha256 support was broken in MacPorts
> anyway, I'm not sure if that's been corrected.
Yes.
> It'd certainly be simpler to document if only one hash algorithm was
> "blessed", with all others marked for removal by a certain date /
> version.
We're documenting two hash algorithms that are "blessed". All others are
deprecated.
--
Clemens Lang
More information about the macports-dev
mailing list