[MacPorts] #63885: Replace rmd160 use in MacPorts with something else

MacPorts noreply at macports.org
Wed Nov 10 21:21:25 UTC 2021


#63885: Replace rmd160 use in MacPorts with something else
-------------------------+--------------------
  Reporter:  ryandesign  |      Owner:  (none)
      Type:  defect      |     Status:  new
  Priority:  Normal      |  Milestone:
 Component:  base        |    Version:
Resolution:              |   Keywords:
      Port:              |
-------------------------+--------------------

Comment (by mouse07410):

 When hash is used for non-cryptographic purposes (just to produce a unique
 identifier for a package), it does not really matter whether it's
 cryptographically broken  or not. Thus, I wouldn't bend over backwards to
 eradicate all the usage of MD5, SHA1, RIPEMD160, etc.

 >
 > .  .  .  rmd160 used for the binary archives is not merely a checksum;
 it is also somehow validating a signature with our public key

 This, ideally, should be replaced. Anything SHA-2 would be good, or SHA-3.
 I personally like SHA-3, and some candidates (like Blake2). Didn't pay
 attention to Blake3 (and probably won't, enough Post-Quantum things on the
 plate to occupy my time)...

 Given how port validation and signature verification are done, I don't
 think we need to worry about performance of the hash.

 In short: if you can move to SHA-2 or (better yet) SHA3, it would be great
 from several points of view. Especially if Perry can write a script to
 speed up the update.

-- 
Ticket URL: <https://trac.macports.org/ticket/63885#comment:16>
MacPorts <https://www.macports.org/>
Ports system for macOS


More information about the macports-tickets mailing list