Rogier Krieger <[email protected]> wrote: > I suppose this is due to infrastructure/mk/bsd.port.mk setting > _CIPHERS and PREFERRED_CIPHERS to only include sha256. Is that > intentional?
Yes. To quote the commit message: Remove message digest algorithms other than SHA-256 for checksumming distfiles. MD5 is known to be insecure and RIPEMD-160 and SHA-1 are considered inferior to SHA-256. Also, the concatenation of different hashes is not more secure than its strongest component; see Antoine Joux, "Multicollisions in iterated hash functions. Application to cascased constructions" http://www.iacr.org/cryptodb/archive/2004/CRYPTO/1472/1472.pdf > I'm also unable to override the above using PREFERRED_CIPHERS in > /etc/mk.conf. While the override seems to be taken into account, its > value appears to be ignored by 'makesum'. _CIPHERS is used for generating the checksum, and as the leading underscore indicates, it is an internal variable and not intended to be overridden. You can set PREFERRED_CIPHERS to choose the hash used for verification by "make checksum", but there are currently no alternatives to SHA-256. -- Christian "naddy" Weisgerber [email protected]
