On 06/23/2010 05:21 PM, Eric Hall wrote:
On Wed, Jun 23, 2010 at 07:15:47PM -0500, Ryan Schmidt wrote:
[snip]
For another, I'm unsure we really need sha256 checksums in there. It's already
complete overkill that we're putting three different checksums; using four
verges on crazy. The only reason we put more than one checksum at all is to
prevent a vulnerability in any single checksum algorithm from compromising
MacPorts' integrity, but this possibility itself is already so extremely remote
as to be of virtually no interest at all. Really the only purpose the checksums
need to serve is to ensure the distfile the user downloaded is the same one the
port maintainer tested with.
Agreed.
FWIW, I tend to agree that adding a fourth checksum is a bit overkill.
It might
be worth upgrading one of the older checksums (md5, sha1) to sha256 though.
Many projects still report md5's and sha1's, so it would be useful to
have that there so one can just copy paste the checksum into the portfile.
Blair
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
