Ryan Schmidt wrote:
Disagree. Three types of checksums (md5, sha1, rmd160) in a portfile are stronger than just two.
I would agree that ports should not use md5 alone, but I would also say that ports should not use sha1 or rmd160 alone. Ports should use all three checksum types.
If we would do it correctly, we should only use hashes published by the authors of the software. Although many don't provide any, this would be the only way to be sure the file is the correct one. If a port maintainer creates the hashes, who ensures that he got the right file and not a compromised one? But if no checksums are provided upstream, Portfile authors will of course have to generate hashes themself. We could also add other hashes, basically everything libcrypto provides as we are linking to it anyways.
port lint should warn if a portfile uses just a single type of checksum for a file. Maybe this is desired as the original authors only released one checksum type? But sure we could encourage addition of other checksums this way.
In conclusion, as long as we do not take care if the Portfile itself was transferred secure, we do not have any security by using checksums for fetches. So checksums just prevent anybody from accidentally using a corrupted file. Rainer