> One thought would be that while one hash algorithm may exhibit a flaw > that allows arbitrary changes to the payload without altering the > hash, it's extremely unlikely that two hashes would be affected in the > same way.
This is the main reason we have more than one hash: it's possible to have collisions, especially with weaker hashes, where a bad file can be accepted by MacPorts. > I don't think MacPorts actually verifies every hash that is provided > in the Portfile. MacPorts checks all listed hashes. > I think the actual reason is to provide a backup hash if the first > algorithm isn't available. Though, I'm pretty sure rmd160 and sha256 > have been available in OS X for quite some time, via openssl, python, > perl, etc. > > Hmm, apparently a year ago sha256 support was broken in MacPorts > anyway, I'm not sure if that's been corrected. It was corrected in MacPorts 2.0.0. > It'd certainly be simpler to document if only one hash algorithm was > "blessed", with all others marked for removal by a certain date / > version.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ macports-dev mailing list [email protected] http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
