sha1 and rmd160
Jeremy Lavergne
jeremy at lavergne.gotdns.org
Fri Apr 6 06:14:37 PDT 2012
> One thought would be that while one hash algorithm may exhibit a flaw
> that allows arbitrary changes to the payload without altering the
> hash, it's extremely unlikely that two hashes would be affected in the
> same way.
This is the main reason we have more than one hash: it's possible to have collisions, especially with weaker hashes, where a bad file can be accepted by MacPorts.
> I don't think MacPorts actually verifies every hash that is provided
> in the Portfile.
MacPorts checks all listed hashes.
> I think the actual reason is to provide a backup hash if the first
> algorithm isn't available. Though, I'm pretty sure rmd160 and sha256
> have been available in OS X for quite some time, via openssl, python,
> perl, etc.
>
> Hmm, apparently a year ago sha256 support was broken in MacPorts
> anyway, I'm not sure if that's been corrected.
It was corrected in MacPorts 2.0.0.
> It'd certainly be simpler to document if only one hash algorithm was
> "blessed", with all others marked for removal by a certain date /
> version.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 8796 bytes
Desc: not available
URL: <http://lists.macosforge.org/pipermail/macports-dev/attachments/20120406/7013b4a6/attachment-0001.bin>
More information about the macports-dev
mailing list