On 04/07/2012 10:04 PM, Ryan Schmidt wrote:
On Apr 6, 2012, at 08:33, Arno Hautala wrote:
On 2012-04-06, Clemens Lang<[email protected]> wrote:
We're documenting two hash algorithms that are "blessed". All others are
deprecated.
Is there an effort to remove the deprecated algorithms? Or a date /
version for support to be removed? Just curious.
Not yet. Personally I try to remove md5 checksums from ports as I update them.
Perhaps once most ports have had that done to them, we can consider doing a
batch md5 removal from the remaining ports and then removing md5 support from
MacPorts.
I don't know why we're so focused on removing md5 support.
I was thinking why I'm resistant to removing md5 support and it comes
down to make it easier for somebody to verify that the port is correct,
given that many sites only list a md5 checksum and not a better one.
As much as we're concerned about a bad actor messing with a tarball, the
bad actor could be a MacPorts committer. So comparing the md5 in the
port with the md5 from upstream is much easier than downloading
upstream's tarball, comparing the upstream's md5 with the computed md5,
then generating a sha256 or rmd160 from it and comparing that with the
portfile.
Maybe the underlying issue for me is a way for MacPorts users to verify
that the portfile's checksums with the upstream's checksum.
Blair
_______________________________________________
macports-dev mailing list
[email protected]
http://lists.macosforge.org/mailman/listinfo.cgi/macports-dev
