Jordan K. Hubbard wrote:
> Given all the other unfinished or unstarted work in MacPorts which
> needs to happen just to get the collection halfway reliable, it seems
> to me that arguing over the safety of a commonly used checksum is
> little more than a distraction and represents time that could
Ryan Schmidt wrote:
> Rainer has commented on your ticket so once you review those changes
> I imagine he'll commit it.
Yes, that was my intention :-)
> I saw your earlier message but did not have time to deal with it.
> Sometimes we're just short on time and tickets get forgotten.
That's of
On Feb 16, 2008, at 05:41, David Bruce wrote:
> I'm the upstream maintainer of tuxmath, and I also want to add it
> to MacPorts
> and become the port maintainer for it. So, regarding checksums, I
> take it
> that it would be best (from the point of view of MacPorts, and
> probably
> anyone
Ryan Schmidt wrote:
> Of course, this won't make Rainer happy. :-)
>
> http://trac.macosforge.org/projects/macports/browser/trunk/dports/
> editors/vim/files/patchlist?rev=34037
>
> Look at all them pretty md5s...
These md5s are released upstream [1] and I just use them. Of course I
now could
Hi,
I'm the upstream maintainer of tuxmath, and I also want to add it to MacPorts
and become the port maintainer for it. So, regarding checksums, I take it
that it would be best (from the point of view of MacPorts, and probably
anyone else who cares to verify that they are getting unaltered so
This is really a non-issue. The intent of the MD5 in the Portfile is
easily identify when a source archive was corrupted during download,
or when a 404 file was obtained instead of a source archive. It's not
about security, it's about providing a checksum for data -- and to
that effect MD
On Feb 16, 2008 2:57 AM, Ryan Schmidt <[EMAIL PROTECTED]> wrote:
> On Feb 16, 2008, at 01:49, William Allen Simpson wrote:
> > As long as we ONLY use hashes generated by the distfile author,
> > located on the distfile site, and NEVER generate our own, we'll be fine.
>
> But we don't do that. At le
On Feb 16, 2008, at 01:49, William Allen Simpson wrote:
> On 2/15/08, Eric Hall wrote:
>
>> I believe there are attacks against MD5 that make it insufficient
>> to verify that the "right" distfile was downloaded.
>
> You believe incorrectly. All known attacks require that the generator
> of the t
William Allen Simpson wrote:
> On 2/15/08, Eric Hall <[EMAIL PROTECTED]> wrote:
> And that is the only relevant issue. Something that a hash cannot solve.
>
> As long as we ONLY use hashes generated by the distfile author, located
> on the distfile site, and NEVER generate our own, we'll be fine.
On 2/15/08, Eric Hall <[EMAIL PROTECTED]> wrote:
> I believe there are attacks against MD5 that make it insufficient
> to verify that the "right" distfile was downloaded.
>
You believe incorrectly. All known attacks require that the generator
of the tarball is compromised. That is, there ar
NP, author has free to ignore the warning message ;)
On Feb 16, 2008 2:36 PM, Ryan Schmidt <[EMAIL PROTECTED]> wrote:
>
>
> On Feb 15, 2008, at 23:29, js wrote:
>
> >> You might say we should therefore use sha1 or rmd160 instead. But
> >> what if a similar problem is discovered in sha1 or rmd160?
On Feb 15, 2008, at 23:29, js wrote:
>> You might say we should therefore use sha1 or rmd160 instead. But
>> what if a similar problem is discovered in sha1 or rmd160?
>
> MD5 already has one, others are not.
>
>> Even if flaws exist in all three checksum algorithms that enable
>> differing files
> You might say we should therefore use sha1 or rmd160 instead. But
> what if a similar problem is discovered in sha1 or rmd160?
MD5 already has one, others are not.
> Even if flaws exist in all three checksum algorithms that enable
> differing files to have the same checksum, it is virtually imp
On Feb 15, 2008, at 22:14, js wrote:
>> Disagree. Three types of checksums (md5, sha1, rmd160) in a portfile
>> are stronger than just two.
>> I would agree that ports should not use md5 alone, but I would also
>> say that ports should not use sha1 or rmd160 alone. Ports should use
>> all three c
Given all the other unfinished or unstarted work in MacPorts which
needs to happen just to get the collection halfway reliable, it seems
to me that arguing over the safety of a commonly used checksum is
little more than a distraction and represents time that could be
devoted to more importa
> Disagree. Three types of checksums (md5, sha1, rmd160) in a portfile
> are stronger than just two.
> I would agree that ports should not use md5 alone, but I would also
> say that ports should not use sha1 or rmd160 alone. Ports should use
> all three checksum types.
When we have sha1 and rmd160
Ryan Schmidt wrote:
> Disagree. Three types of checksums (md5, sha1, rmd160) in a portfile
> are stronger than just two.
>
> I would agree that ports should not use md5 alone, but I would also
> say that ports should not use sha1 or rmd160 alone. Ports should use
> all three checksum types.
On Fri, Feb 15, 2008 at 08:48:41PM -0700, Boyd Waters wrote:
>
[snip]
>
> MD5 is sufficient for verifying a successful download of a source
> tarball.
I believe there are attacks against MD5 that make it insufficient
to verify that the "right" distfile was downloaded.
>
> MD5 may n
On Feb 15, 2008, at 8:21 PM, Ryan Schmidt wrote:
> I would agree that ports should not use md5 alone, but I would also
> say that ports should not use sha1 or rmd160 alone. Ports should use
> all three checksum types.
>
> port lint should warn if a portfile uses just a single type of
> checksum f
On Sat, Feb 16, 2008 at 04:36:12AM +0100, Rainer M?ller wrote:
> js wrote:
> > As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
> > So recently I don't use it and even remove it when I found it in the
> > checksum part of portfile.
> > I thought dropping use of md5 in portfile
js wrote:
> As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
> So recently I don't use it and even remove it when I found it in the
> checksum part of portfile.
> I thought dropping use of md5 in portfile would be nice.
>
> Any thought?
I don't think these flaws are strong e
On Feb 15, 2008, at 21:16, js wrote:
> As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
> So recently I don't use it and even remove it when I found it in the
> checksum part of portfile.
> I thought dropping use of md5 in portfile would be nice.
>
> Any thought?
Disagree.
Hi,
As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5)
So recently I don't use it and even remove it when I found it in the
checksum part of portfile.
I thought dropping use of md5 in portfile would be nice.
Any thought?
___
macports
23 matches
Mail list logo
