On Wed, Jun 23, 2010 at 07:15:47PM -0500, Ryan Schmidt wrote:
[snip]
> For another, I'm unsure we really need sha256 checksums in there. It's
> already complete overkill that we're putting three different checksums; using
> four verges on crazy. The only reason we put more than one checksum at all is
> to prevent a vulnerability in any single checksum algorithm from compromising
> MacPorts' integrity, but this possibility itself is already so extremely
> remote as to be of virtually no interest at all. Really the only purpose the
> checksums need to serve is to ensure the distfile the user downloaded is the
> same one the port maintainer tested with.
>
From what basis do you make the claim:
...prevent a vulnerability in any single checksum algorithm from
compromising MacPorts' integrity, but this possibility itself is
already so extremely remote...
Did you find a study on this, or do some research?
FWIW, I tend to agree that adding a fourth checksum is a bit overkill.
It might
be worth upgrading one of the older checksums (md5, sha1) to sha256 though.
-eric
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
