On Thu, Feb 12, 2009 at 04:05:14PM +0100, Hannah Schroeter wrote: > Hi! > > On Thu, Feb 05, 2009 at 05:31:06PM -0500, Brad wrote: > >On Thursday 05 February 2009 17:18:43 Marc Balmer wrote: > >> shouldn't we abandon md5 in favor of e.g. sha256? > > >SHA256 has been the default for 2 years now. > > For ports, yes. For packages, more recently, IIRC. For the "MD5" file > in the base distribution, not at all.
Packages were dependent on two things: - sha256 support in perl, either through home-made ssl interface (Simon was working on that), or through the base distro (which is what happened with perl 5.10). - full PLIST checks, in particular wrt weird modes. These days, packages will complain if you have setuid files in them that do not have corresponding annotations in the packing-list. The cool thing about it is the object-oriented design of the tools. With the proper abstraction, suddenly packages would cope with md5 or sha256 without errors, and it was just a question of switching the default to sha256. I make some big efforts in ensuring backward compatibility for package tools. I haven't tried recently, but it used to be the case that you could go back to a 3.6 installed machine, and the package tools would still grok the installed packages and update them more or less correctly.
