On 1/16/11 3:10 AM, Ryan Schmidt wrote:
On Jan 16, 2011, at 00:59, Joshua Root wrote:
[in response to a commit by snc]
You've committed a lot of updates lately where the submitter's patch
contained an rmd160 checksum but you removed it. Is there a good reason
for this?
I've committed lots of updates lately where I use only the sha1 and rmd160 checksums,
omitting the md5 checksum. As we've discussed before, there is good reason to use more
than just a single checksum algorithm (security against a vulnerability being discovered
in any one checksum algorithm), but I see no point to using more than two checksum
algorithms. And I picked the two newest algorithms, since for many other applications md5
is already considered obsolete. I suggest this is what we should do going forward.
Perhaps we could change the "port -d checksum" output to no longer suggest the
md5 checksums. As we update ports, we should remove md5 checksums, preferring the
sha1/rmd160 pair. And perhaps a couple years down the road we can remove md5 support from
MacPorts entirely.
However, if the upstream source only provides an md5 checksum, then we should
use that checksum.
Blair
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
