rmd160 deprecated with openssl 3

Chris Jones jonesc at hep.phy.cam.ac.uk
Tue Nov 9 19:28:57 UTC 2021


One thing that became apparent with the recent migration to openssl 3 is that rmd160 has been declared obsolete. Openssl3 has done this, and moved this algorithm to its ‘legacy’ set of providers, such that by default it is not available. 

I ‘fixed’ this in the openssl3 port with 


But I am thinking the fact this is required should be taken as an indication that we should review our use of rmd160 in macports, in preparation for some future OS where it is no longer available. I am not imagining this will likely be ‘soon’, but I think its probably better we start planing for it sooner rather than later.

We use rmd160 in a few places in macports. A possibly incomplete list is

1. Its one of the default checksums we provide in portfiles to validate source tarballs.
2. Its the checksum we provide alongside out binary tarballs

I don’t think either of those is hard to ‘fix’. I.e. for 1. We could (should?) start recommending a different checksum to replace the rmd160 one we use. For 2., we could start publishing a second more modern checksum along side the rmd160 one, and then have base use this if present and fallback to rmd160 if missing.

Thoughts ?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macports.org/pipermail/macports-dev/attachments/20211109/2f021ff7/attachment.htm>

More information about the macports-dev mailing list