On Sat, Feb 16, 2008 at 04:36:12AM +0100, Rainer M?ller wrote:
js wrote:
As you know, MD5 has serious flaws (http://en.wikipedia.org/wiki/MD5) So recently I don't use it and even remove it when I found it in the checksum part of portfile. I thought dropping use of md5 in portfile would be nice.
Any thought?
I don't think these flaws are strong enough to discourage use of MD5 as a hashsum for file verification yet.
Leave in MD5, add one of the others as needed. Note that the (currently known) flaws in MD5 involve generating specific files ahead of time, not finding a matching MD5 for an existing file. Which brings us to: How well do maintainers verify that the distfile they download and checksum is "valid"? Sure, it unpacks and builds (well, we sure hope so), but do they know that the authors of the distfile put together that distfile? I suspect this is a weaker point that MD5 alone is. -eric