On 2012-04-06, Craig Treleaven <[email protected]> wrote: > > Just curious, why two checkums? Is one not sufficient?
One thought would be that while one hash algorithm may exhibit a flaw that allows arbitrary changes to the payload without altering the hash, it's extremely unlikely that two hashes would be affected in the same way. I don't think MacPorts actually verifies every hash that is provided in the Portfile. I think the actual reason is to provide a backup hash if the first algorithm isn't available. Though, I'm pretty sure rmd160 and sha256 have been available in OS X for quite some time, via openssl, python, perl, etc. Hmm, apparently a year ago sha256 support was broken in MacPorts anyway, I'm not sure if that's been corrected. It'd certainly be simpler to document if only one hash algorithm was "blessed", with all others marked for removal by a certain date / version. -- arno s hautala /-| [email protected] pgp b2c9d448 _______________________________________________ macports-dev mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
