I'm not sure what you're saying. Let me restate myself, if the upstream only provides an md5, then we should at least include that one, plus a sha1 or rmd160.
Blair On Jan 16, 2011, at 10:40 AM, Jeremy Lavergne wrote: > That doesn't make much sense. > > Why would we restrict ourselves below the preferred 2 hashes? > > "Blair Zajac" <[email protected]> wrote: > >> On 1/16/11 3:10 AM, Ryan Schmidt wrote: >>> >>> On Jan 16, 2011, at 00:59, Joshua Root wrote: >>> >>> [in response to a commit by snc] >>> >>>> You've committed a lot of updates lately where the submitter's patch >>>> contained an rmd160 checksum but you removed it. Is there a good >> reason >>>> for this? >>> >>> I've committed lots of updates lately where I use only the sha1 and >> rmd160 checksums, omitting the md5 checksum. As we've discussed before, >> there is good reason to use more than just a single checksum algorithm >> (security against a vulnerability being discovered in any one checksum >> algorithm), but I see no point to using more than two checksum >> algorithms. And I picked the two newest algorithms, since for many >> other applications md5 is already considered obsolete. I suggest this >> is what we should do going forward. Perhaps we could change the "port >> -d checksum" output to no longer suggest the md5 checksums. As we >> update ports, we should remove md5 checksums, preferring the >> sha1/rmd160 pair. And perhaps a couple years down the road we can >> remove md5 support from MacPorts entirely. >> >> However, if the upstream source only provides an md5 checksum, then we >> should >> use that checksum. >> >> Blair >> _______________________________________________ >> macports-dev mailing list >> [email protected] >> http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev > _______________________________________________ macports-dev mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
