16 Feb
2008
16 Feb
'08
8:11 a.m.
On Feb 16, 2008 2:57 AM, Ryan Schmidt <ryandesign@macports.org> wrote:
On Feb 16, 2008, at 01:49, William Allen Simpson wrote:
As long as we ONLY use hashes generated by the distfile author, located on the distfile site, and NEVER generate our own, we'll be fine.
But we don't do that. At least, I'm constantly generating my own checksums for my portfiles. The developers of most of my ports do not provide checksums.
Trust is not transitive. If you download a file, and generate your own hash, that really defeats the whole purpose of tarball verification. Then, it doesn't matter what checksum is used, or its cryptographic strength, as you have no way of indicating who generated that hash.