On Feb 15, 2008, at 8:21 PM, Ryan Schmidt wrote:
I would agree that ports should not use md5 alone, but I would also say that ports should not use sha1 or rmd160 alone. Ports should use all three checksum types.
port lint should warn if a portfile uses just a single type of checksum for a file.
I'm a bit surprised at this. Technically three sorts of checksum is very strong, but what are we concerned about here? I don't think that the problem is malicious code injection. You can examine the source code if you care to do so.. I think that the checksums provide an easy way to determine that the correct source distributions have been downloaded. Often downloads are corrupted. Some distributions do not use version numbers on the file name; the checksum tells you that you have the correct bits. MD5 is sufficient for verifying a successful download of a source tarball. MD5 may not be sufficient to prevent evil hackers from adding malicious elements to the source code, but in practice this is not going to happen: the attacker must transform the code into something that still compiles, performs their nefarious deeds, and has a given MD5 hash. I'd love to see a demonstration of that! That said, I use rmd160 and sha1 for my ports, so who's being paranoid here? :-) - boyd Boyd Waters Scientific Programmer (and failed MacPorts developer) National Radio Astronomy Observatory Socorro, New Mexico