[107076] trunk/dports/python
Ryan Schmidt
ryandesign at macports.org
Tue Jun 18 15:32:56 PDT 2013
On Jun 18, 2013, at 17:30, Joshua Root <jmr at macports.org> wrote:
> On 2013-6-19 08:14 , Ryan Schmidt wrote:
>> On Jun 17, 2013, at 15:42, aronnax at macports.org wrote:
>>
>>> Revision: 107076
>>> https://trac.macports.org/changeset/107076
>>> Author: aronnax at macports.org
>>> Date: 2013-06-17 13:42:06 -0700 (Mon, 17 Jun 2013)
>>> Log Message:
>>> -----------
>>> py-twilio: new port, Twilio API client and TwiML generator
>>>
>>> Added Paths:
>>> -----------
>>> trunk/dports/python/py-twilio/
>>> trunk/dports/python/py-twilio/Portfile
>>
>>> +checksums md5 a33890f8b1527af9cd0d2018949934ea
>>
>> The md5 algorithm is not secure:
>>
>> http://en.wikipedia.org/wiki/MD5#Security
>>
>> Using just an md5 checksum should not be considered adequate. We should use at least two checksums per distfile; the current recommendation is to use rmd160 and sha256 checksums.
>
> But md5 is all pypi provides, so it's fine to use that as one of the
> multiple checksums.
Can someone please persuade pypi to use a more modern algorithm? Use of only md5 opens them up to vulnerabilities. A malicious developer could replace any module with a functionally different version that has the same md5 hash.
More information about the macports-dev
mailing list