[MacPorts] #63885: Replace rmd160 use in MacPorts with something else
MacPorts
noreply at macports.org
Wed Nov 10 21:21:25 UTC 2021
#63885: Replace rmd160 use in MacPorts with something else
-------------------------+--------------------
Reporter: ryandesign | Owner: (none)
Type: defect | Status: new
Priority: Normal | Milestone:
Component: base | Version:
Resolution: | Keywords:
Port: |
-------------------------+--------------------
Comment (by mouse07410):
When hash is used for non-cryptographic purposes (just to produce a unique
identifier for a package), it does not really matter whether it's
cryptographically broken or not. Thus, I wouldn't bend over backwards to
eradicate all the usage of MD5, SHA1, RIPEMD160, etc.
>
> . . . rmd160 used for the binary archives is not merely a checksum;
it is also somehow validating a signature with our public key
This, ideally, should be replaced. Anything SHA-2 would be good, or SHA-3.
I personally like SHA-3, and some candidates (like Blake2). Didn't pay
attention to Blake3 (and probably won't, enough Post-Quantum things on the
plate to occupy my time)...
Given how port validation and signature verification are done, I don't
think we need to worry about performance of the hash.
In short: if you can move to SHA-2 or (better yet) SHA3, it would be great
from several points of view. Especially if Perry can write a script to
speed up the update.
--
Ticket URL: <https://trac.macports.org/ticket/63885#comment:16>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list