On Fri, Apr 06, 2012 at 09:07:49AM -0400, Arno Hautala wrote: > I don't think MacPorts actually verifies every hash that is provided > in the Portfile.
It does verify every checksum the Portfile provides. > I think the actual reason is to provide a backup hash if the first > algorithm isn't available. Though, I'm pretty sure rmd160 and sha256 > have been available in OS X for quite some time, via openssl, python, > perl, etc. No, the actual reason is having a second hash in place when one of them is cryptographically broken, as you pointed out. > Hmm, apparently a year ago sha256 support was broken in MacPorts > anyway, I'm not sure if that's been corrected. Yes. > It'd certainly be simpler to document if only one hash algorithm was > "blessed", with all others marked for removal by a certain date / > version. We're documenting two hash algorithms that are "blessed". All others are deprecated. -- Clemens Lang _______________________________________________ macports-dev mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
